TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2022-31692

CRITICAL
9.8

Beschreibung

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

CVE Details

CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht10/31/2022
Zuletzt geandert5/6/2025
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

netapp:active_iq_unified_managervmware:spring_security

Schwachen (CWE)

CWE-639

Referenzen

https://security.netapp.com/advisory/ntap-20221215-0010/(security@vmware.com)
https://tanzu.vmware.com/security/cve-2022-31692(security@vmware.com)
https://security.netapp.com/advisory/ntap-20221215-0010/(af854a3a-2127-422b-91ae-364da2661108)
https://tanzu.vmware.com/security/cve-2022-31692(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.