CVE-2021-221122

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.4.x prior to 5.4.4 Spring Security versions 5.3.x prior to 5.3.8.RELEASE Spring Security versions 5.2.x prior to 5.2.9.RELEASE Spring Security older unsupported versions

Description The issue arises when the SecurityContext is changed more than once in a single request, potentially leading to the failure of saving the SecurityContext. This can be leveraged by an attacker to extend elevated privileges to the rest of the application if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application.

Recommendations For Spring Security versions 5.4.x prior to 5.4.4, update to version 5.4.4 or later. For Spring Security versions 5.3.x prior to 5.3.8.RELEASE, update to version 5.3.8.RELEASE or later. For Spring Security versions 5.2.x prior to 5.2.9.RELEASE, update to version 5.2.9.RELEASE or later. For Spring Security older unsupported versions, consider upgrading to a supported version.