Missing Authorization Affecting org.springframework.security:spring-security-config package, versions [6.3.0,6.3.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.43% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-7708022
  • published20 Aug 2024
  • disclosed19 Aug 2024
  • creditJosh Cumming

Introduced: 19 Aug 2024

CVE-2024-38810  (opens in a new tab)
CWE-862  (opens in a new tab)

How to fix?

Upgrade org.springframework.security:spring-security-config to version 6.3.2 or higher.

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Missing Authorization. When the applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects, they may not have all security advice applied, resulting in annotations like @PreFilter and @PreAuthorize may take no effect on these wrapped objects.

NOTE:

This does not impact any @Beans that use Spring Security's method security advice.

For this to impact an application, all of the following need to be true:

  1. AnnotationAwareAspectJAutoProxyCreator must be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via @EnableAspectJAutoProxy or enabled by Spring Boot by virtue of using spring-aspects or a starter that uses spring-aspects

  2. The application must have at least one FactoryBean present in the application context.

  3. The application must enable method security with @EnableMethodSecurity

  4. The application must wrap objects using the @AuthorizeReturnObject annotation or the AuthorizationAdvisorProxyFactory @Bean` produced by Spring Security.

  5. The application must be using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on those wrapped objects

CVSS Base Scores

version 4.0
version 3.1