9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.029 Low
EPSS
Percentile
89.7%
Spring Security Web is vulnerable to Authorization Bypass. The vulnerability exists in AuthorizationFilter
because it incorrectly extends OncePerRequestFilter
which allows an attacker to bypass authorization rules via forward or include dispatcher types.
docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
github.com/advisories/GHSA-mmmh-wcxm-2wr4
github.com/SpindleSec/cve-2022-31692-demo
github.com/spring-projects/spring-security/commit/1f481aafff14f324ffe2b43a973d3d5f54ae92d4
github.com/spring-projects/spring-security/commit/2915a70bf786e2bd0780d686d432b9ba85617522
github.com/spring-projects/spring-security/issues/12102
github.com/spring-projects/spring-security/issues/12113
github.com/spring-projects/spring-security/releases/tag/5.6.9
github.com/spring-projects/spring-security/releases/tag/5.7.5
security.netapp.com/advisory/ntap-20221215-0010/
securityonline.info/cve-2022-31692-spring-framework-authorization-rules-bypass-vulnerability/
tanzu.vmware.com/security/cve-2022-31692
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.029 Low
EPSS
Percentile
89.7%