Privilege Escalation Vulnerability in Spring Security by VMware
CVE-2022-31690

8.1HIGH

Key Information:

Vendor: Vmware
Status: Spring Security
Vendor: CVE Published:; 31 October 2022

Summary

Certain versions of Spring Security are vulnerable to privilege escalation that may arise when a malicious user modifies requests to the Authorization Server. If this server responds with an OAuth2 Access Token containing an empty scope list, it can result in unauthorized privileges for the attacker during token requests, leading to potential security breaches.

Affected Version(s)

Spring Security Spring Security (5.7 to 5.7.4 and 5.6 to 5.6.8 as well as older, unsupported versions)

References

https://tanzu.vmware.com/security/cve-2022-31690

https://security.netapp.com/advisory/ntap-20221215-0010/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2022
Vulnerability Reserved
May 25, 2022