CVE-2021-22112

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.2.x prior to 5.2.9.RELEASE Spring Security versions 5.3.x prior to 5.3.8.RELEASE Spring Security versions 5.4.x prior to 5.4.4 Spring Security older unsupported versions

Description The issue arises when the SecurityContext is changed more than once in a single request, potentially leading to a failure in saving the SecurityContext. A malicious user cannot directly cause this bug to occur, as it must be programmed into the application. However, if an application intends to grant elevated privileges to a user for only a portion of the application, this bug can be exploited to extend those privileges to the entire application.

Recommendations For Spring Security versions 5.2.x prior to 5.2.9.RELEASE, update to version 5.2.9.RELEASE or later. For Spring Security versions 5.3.x prior to 5.3.8.RELEASE, update to version 5.3.8.RELEASE or later. For Spring Security versions 5.4.x prior to 5.4.4, update to version 5.4.4 or later. For Spring Security older unsupported versions, consider upgrading to a supported version to mitigate the risk.