#VU68866 Improper Authorization in Spring Security


Published: 2022-11-01

Vulnerability identifier: #VU68866

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31692

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Spring Security
Server applications / Frameworks for developing and running applications

Vendor: VMware, Inc

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to authorization rules bypass via forward or include dispatcher types. A remote attacker can bypass authorization process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Spring Security: 5.6.0 - 5.7.4

External links
http://tanzu.vmware.com/security/cve-2022-31692

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle Banking Virtual Account Management
Multiple vulnerabilities in Dell Networker
Multiple vulnerabilities in Communications Unified Assurance
Multiple vulnerabilities in IBM i Modernization Engine for Lifecycle Integration
Improper authorization in IBM Maximo Application Suite
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.2
Multiple vulnerabilities in IBM InfoSphere Information Server
Improper authorization in IBM Process Mining
Multiple vulnerabilities in Oracle Communications Element Manager
Multiple vulnerabilities in Oracle Communications Session Report Manager