Authorization Bypass Affecting org.springframework.security:spring-security-web package, versions [5.6.0, 5.6.9) [5.7.0, 5.7.5)


0.0
high
0
10

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Integrity High

    Threat Intelligence

    EPSS 0.21% (59th percentile)
Expand this section
NVD
9.8 critical
Expand this section
Red Hat
7.4 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-3092126
  • published 1 Nov 2022
  • disclosed 1 Nov 2022
  • credit Osword

How to fix?

Upgrade org.springframework.security:spring-security-web to version 5.6.9, 5.7.5 or higher.

Overview

org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Authorization Bypass via forward or include dispatcher types.

An application is vulnerable when all of the following are true:

  1. The application expects that Spring Security applies security to forward and include dispatcher types.

  2. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method.

  3. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include).

  4. The application may forward or include the request to a higher privilege-secured endpoint.

  5. The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

An application is not vulnerable if any of the following is true:

  1. The application does not use authorizeHttpRequests() or the AuthorizationFilter.

  2. The application does not forward/include requests.

  3. The application does not need to configure Spring Security to apply to FORWARD and INCLUDE dispatcher types.

Workaround

Users who are unable to upgrade should use AuthorizeRequests().filterSecurityInterceptorOncePerRequest(false) instead of AuthorizeHttpRequests().shouldFilterAllDispatcherTypes(true).

Users with version < 5.7.0 which does not have shouldFilterAllDispatcherTypes available, should add an ObjectPostProcessor:

authorizeHttpRequests().withObjectPostProcessor(new 
 ObjectPostProcessor<AuthorizationFilter>() {
   @Override 
   public<O extends AuthorizationFilter> O postProcess(O filter) { 
    filter.setObserveOncePerRequest(false); 
    filter.setFilterAsyncDispatch(true); 
    filter.setFilterErrorDispatch(true); 
    return filter;
   }});

Note:

In Spring Security 5, the default behavior is to not apply the filters more than once to a request, therefore users have to explicitly configure Spring Security to do that. In addition, the FilterChainProxy is also not configured to be invoked on forward and include dispatcher types.