Spring Security fixes CVE-2024-38810

Spring Security fixes CVE-2024-38810

No Comments

A high-severity flaw has been discovered in Spring Security, potentially allowing unauthorized access to sensitive data within affected applications.

Spring Security’s powerful method security features allow developers to control access to application methods using annotations like @PreAuthorize and @PostAuthorize. The vulnerability tracked as CVE-2024-38810 reveals a significant flaw: when objects are wrapped using @AuthorizeReturnObject or the AuthorizationAdvisorProxyFactory @Bean, the way they getting applied open the door for threat actors.

Due to serious lag, the critical security annotations like @PreFilter, @PostFilter, @PreAuthorize, and @PostAuthorize may fail to enforce the expected security restrictions on these wrapped objects, leaving the application vulnerable to unauthorized access or data exposure.

Advertisements

The vulnerability impacts Spring Security versions 6.3.0 and 6.3.1.

The vulnerability only affects applications meeting ALL the following conditions:

  1. Using AnnotationAwareAspectJAutoProxyCreator for auto-proxy creation
  2. Having at least one FactoryBean in the application context
  3. Enabling method security with @EnableMethodSecurity
  4. Wrapping objects using @AuthorizeReturnObject or AuthorizationAdvisorProxyFactory
  5. Using @PreFilter@PostFilter@PreAuthorize, or @PostAuthorize on those wrapped objects

Users of affected Spring Security versions are urged to upgrade to version 6.3.2 immediately that fixes the subjected flaw.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.