Missing Authorization Affecting org.springframework.security:spring-security-config package, versions [6.3.0,6.3.2)

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Missing Authorization. When the applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects, they may not have all security advice applied, resulting in annotations like @PreFilter and @PreAuthorize may take no effect on these wrapped objects.

NOTE:

This does not impact any @Beans that use Spring Security's method security advice.

For this to impact an application, all of the following need to be true:

1. AnnotationAwareAspectJAutoProxyCreator must be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via @EnableAspectJAutoProxy or enabled by Spring Boot by virtue of using spring-aspects or a starter that uses spring-aspects

2. The application must have at least one FactoryBean present in the application context.

3. The application must enable method security with @EnableMethodSecurity

4. The application must wrap objects using the @AuthorizeReturnObject annotation or the AuthorizationAdvisorProxyFactory @Bean` produced by Spring Security.

5. The application must be using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on those wrapped objects

• GitHub Commit
• Security Advisory