CVE-2022-41923

Name of the Vulnerable Software and Affected Versions Grails Spring Security Core plugin versions 1.x Grails Spring Security Core plugin versions 2.x Grails Spring Security Core plugin versions 3.0.0 through 3.3.1 Grails Spring Security Core plugin versions 4.0.0 through 4.0.4 Grails Spring Security Core plugin versions 5.0.0 through 5.1.0

Description The Grails Spring Security Core plugin is vulnerable to privilege escalation, allowing an attacker to access one endpoint using the authorization requirements of a different endpoint. This can result in a privilege escalation attack, where access to the targeted endpoint is granted based on meeting the authorization requirements of the donor endpoint.

Recommendations For Grails Spring Security Core plugin version 1.x, update to a patched release of the plugin. For Grails Spring Security Core plugin version 2.x, create a subclass extending one of the following classes from the grails.plugin.springsecurity.web.access.intercept package: AnnotationFilterInvocationDefinition, InterceptUrlMapFilterInvocationDefinition, or RequestmapFilterInvocationDefinition, and override the calculateUri method. For Grails Spring Security Core plugin versions 3.0.0 through 3.3.1, update to version 3.3.2 or later. For Grails Spring Security Core plugin versions 4.0.0 through 4.0.4, update to version 4.0.5 or later. For Grails Spring Security Core plugin versions 5.0.0 through 5.1.0, update to version 5.1.1 or later.