CVE-2022-31692

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.6 prior to 5.6.9 Spring Security versions 5.7 prior to 5.7.5

Description The issue concerns the potential bypass of authorization rules in Spring Security via forward or include dispatcher types. An application is vulnerable if it expects Spring Security to apply security to forward and include dispatcher types, uses the AuthorizationFilter manually or via the authorizeHttpRequests() method, configures the FilterChainProxy to apply to forward and/or include requests, and may forward or include the request to a higher privilege-secured endpoint. The application must also configure Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true).

Recommendations For Spring Security version 5.6 prior to 5.6.9, update to version 5.6.9 or later to resolve the issue. For Spring Security version 5.7 prior to 5.7.5, update to version 5.7.5 or later to resolve the issue. As a temporary workaround, consider disabling the AuthorizationFilter or restricting the use of authorizeHttpRequests() until a patch is available. Restrict access to higher privilege-secured endpoints to minimize the risk of exploitation.