Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-WMV4-5W76-VP9G
HistorySep 15, 2020 - 8:16 p.m.

Authorization Bypass in Spring Security

2020-09-1520:16:22
CWE-287
GitHub Advisory Database
github.com
58
spring security
cas proxy ticket
authentication
access control
mitigation
upgrade
david ohsie
cas development team
software

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.5%

JSON

When using Spring Security’s CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request.

This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed.

If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

Mitigation

Users of affected versions should apply the following mitigation:

  • Users of 3.2x should upgrade to 3.2.5 or later
  • Users of 3.1.x should upgrade to 3.1.7 or later

Credit

This issue was identified by David Ohsie and brought to our attention by the CAS Development team.

Affected configurations

Vulners
Node
org.springframework.securityspring-security-coreRange3.2.03.2.5
OR
org.springframework.securityspring-security-coreRange<3.1.7
VendorProductVersionCPE
org.springframework.securityspring-security-core*cpe:2.3:a:org.springframework.security:spring-security-core:*:*:*:*:*:*:*:*

Related

ubuntucve 1
nessus 2
cve 1
prion 1
osv 1
nvd 1
cvelist 1
fedora 2
openvas 2
ubuntucve
ubuntucve
CVE-2014-3527
2017-05-25 00:00:00
nessus
nessus
Fedora 19 : springframework-security-3.1.7-1.fc19 (2014-9646)
2014-08-30 00:00:00
Fedora 20 : springframework-security-3.1.7-1.fc20 (2014-9648)
2014-08-30 00:00:00
cve
cve
CVE-2014-3527
2017-05-25 17:29:00
prion
prion
Design/Logic Flaw
2017-05-25 17:29:00
osv
osv
Authorization Bypass in Spring Security
2020-09-15 20:16:22
nvd
nvd
CVE-2014-3527
2017-05-25 17:29:00
cvelist
cvelist
CVE-2014-3527
2017-05-25 17:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: springframework-security-3.1.7-1.fc20
2014-08-30 03:57:51
[SECURITY] Fedora 19 Update: springframework-security-3.1.7-1.fc19
2014-08-30 03:53:38
openvas
openvas
Fedora Update for springframework-security FEDORA-2014-9648
2014-08-31 00:00:00
Fedora Update for springframework-security FEDORA-2014-9646
2014-08-31 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.5%

JSON
Related for GHSA-WMV4-5W76-VP9G
ubuntucve1nessus2cve1prion1osv1nvd1cvelist1fedora2openvas2