org.springframework.security:spring-security-config@6.3.0 vulnerabilities

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Authorization Bypass due to the use of String.toLowerCase() and String.toUpperCase() that have Locale dependent exceptions, which results in authorization rules not working properly.

Upgrade org.springframework.security:spring-security-config to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Missing Authorization. When the applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects, they may not have all security advice applied, resulting in annotations like @PreFilter and @PreAuthorize may take no effect on these wrapped objects.

NOTE:

This does not impact any @Beans that use Spring Security's method security advice.

For this to impact an application, all of the following need to be true:

1. AnnotationAwareAspectJAutoProxyCreator must be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via @EnableAspectJAutoProxy or enabled by Spring Boot by virtue of using spring-aspects or a starter that uses spring-aspects

2. The application must have at least one FactoryBean present in the application context.

3. The application must enable method security with @EnableMethodSecurity

4. The application must wrap objects using the @AuthorizeReturnObject annotation or the AuthorizationAdvisorProxyFactory @Bean` produced by Spring Security.

5. The application must be using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on those wrapped objects

Upgrade org.springframework.security:spring-security-config to version 6.3.2 or higher.