org.springframework.security:spring-security-config@6.3.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-config package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Authorization Bypass

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Authorization Bypass due to the use of String.toLowerCase() and String.toUpperCase() that have Locale dependent exceptions, which results in authorization rules not working properly.

How to fix Authorization Bypass?

Upgrade org.springframework.security:spring-security-config to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.

[,5.7.14) [5.8.0,5.8.16) [6.2.0,6.2.8) [6.3.0,6.3.5)
  • M
Missing Authorization

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Missing Authorization. When the applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects, they may not have all security advice applied, resulting in annotations like @PreFilter and @PreAuthorize may take no effect on these wrapped objects.

NOTE:

This does not impact any @Beans that use Spring Security's method security advice.

For this to impact an application, all of the following need to be true:

  1. AnnotationAwareAspectJAutoProxyCreator must be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via @EnableAspectJAutoProxy or enabled by Spring Boot by virtue of using spring-aspects or a starter that uses spring-aspects

  2. The application must have at least one FactoryBean present in the application context.

  3. The application must enable method security with @EnableMethodSecurity

  4. The application must wrap objects using the @AuthorizeReturnObject annotation or the AuthorizationAdvisorProxyFactory @Bean` produced by Spring Security.

  5. The application must be using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on those wrapped objects

How to fix Missing Authorization?

Upgrade org.springframework.security:spring-security-config to version 6.3.2 or higher.

[6.3.0,6.3.2)