UBUNTU-CVE-2022-31690

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client via the browser to the Authorization Server which...

CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31692 affecting the AuthorizationFilter. Users are encouraged to update as soon as possible...

CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible. Impact Users who have applied the mitigation should take note of the...

PT-2022-20890

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.6 through 5.6.8 Spring Security versions 5.7 through 5.7.4 Description The issue allows a malicious user or attacker to modify a request initiated by the Client to the Authorization Server, potentially leading to a...

CVE-2022-31690

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client via the browser to the Authorization Server which...

VMware Spring Security 安全漏洞

VMware Spring Security is a suite of security frameworks from VMware that provide illustrative security protections for Spring-based applications. A security vulnerability exists in VMware Spring Security versions 5.7.x prior to 5.7.5 and 5.6.x prior to 5.6.9, which stems from a malicious user or...

CVE-2022-31692

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies...

CVE-2022-31692

CVE-2022-31692 affects Spring Security prior to 5.7.5 (and 5.6 prior to 5.6.9). The issue allows authorization bypass when an application configures the FilterChainProxy to apply security to forward/include dispatcher types and uses AuthorizationFilter via manual wiring or authorizeHttpRequests()...

CVE-2022-31690

CVE-2022-31690 affects Spring Security versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9. A malicious user could modify a client-initiated request to the Authorization Server, leading to privilege escalation on the subsequent approval if the OAuth2 Access Token Response incorrectly contains an e...

CVE-2022-31692

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies...

PT-2022-20892

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.6 prior to 5.6.9 Spring Security versions 5.7 prior to 5.7.5 Description The issue concerns the potential bypass of authorization rules in Spring Security via forward or include dispatcher types. An application is...

VMware Spring Security 安全漏洞

VMware Spring Security is a suite of security frameworks from VMware that provide illustrative security protections for Spring-based applications. A security vulnerability exists in VMware Spring Security versions 5.7.x prior to 5.7.5 and 5.6.x prior to 5.6.9, which stems from the possibility of...

CVE-2022-31690

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client via the browser to the Authorization Server which...

This Week in Spring - October 25th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! When last we spoke, I was in Las Vegas, NV, for the JavaOne show. It was amazing! Im in sunny Singapore, then off to Malaysia and Thailand. Its the first time Ive been to any of these places since 2019! How good it is to be...

This Week in Spring - October 18th, 2022

Hi, Spring fans! Howre you doin? Im doin alright! Last week I was in Antwerp, Belgium, for the amazing Devoxx BE show. I did a presentation with my friend and hero James Ward on Spring and Kotlin that was voted third most-liked talk at a show with more than 250 speakers! That was a personal caree...

Security Bulletin: Spring Security OAuth Affects IBM Partner Engagement Manager (CVE-2022-22969)

Summary IBM Sterling Partner Engagement Manager uses Spring Security OAuth that is vulnerable to a denial of service, caused by initiation of the Authorization Request in an OAuth 2.0 Client application. By sending multiple specially-crafted requests, a remote attacker could exploit this...

Security Bulletin: spring-security (Publicly disclosed vulnerability) Affects IBM Partner Engagement Manager (CVE-2022-22978)

Summary IBM Sterling Partner Engagement Manager uses Spring Security that could allow a remote attacker to bypass security restrictions, caused by a flaw in the RegexRequestMatcher component. By misconfiguring RegexRequestMatcher with . in the regular expression, an attacker could exploit this...

This Week in Spring - September 20th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. Theres no way I could hope to capture everything of...

This Week in Spring - September 13th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Weve got a lot of good stuff to get to so lets dive right into it! A Bootiful Podcast: Hashicorps Rosemary Wang on securing the intersection of apps and ops with Hashicorp Vault a nice video by my colleague Dan Vega: Spring...

Vulnerabilities fixed in NetApp Active IQ Unified Manager

NetApp has fixed vulnerabilities in the Spring Security component of Active IQ Unified Manager for Windows, Linux, and VMware vSphere. The vulnerabilities allow a malicious party to execute attacks that result in the following categories of damage: Denial-of-Service DoS Manipulation of data...