Authorization Bypass Vulnerability in Spring Security by VMware
CVE-2022-31692

9.8CRITICAL

Key Information:

Vendor: Vmware
Status: Spring By Vmware
Vendor: CVE Published:; 31 October 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The vulnerability affects Spring Security when specific configurations are present in the application. If an application utilizes Spring Security's AuthorizationFilter, expecting it to enforce security on forward and include dispatcher types, and if these dispatcher types are applied to requests that target higher-privileged endpoints, the security implementation may be bypassed. Applications must ensure proper security configurations to mitigate the risk of unauthorized access due to this flaw. For more details, refer to the related advisories.

Affected Version(s)

Spring by VMware 5.7 to 5.7.4, 5.6 to 5.6.8 and older versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2022-31692
Created by SpindleSec

cve-2022-31692
Created by hotblac

References

https://tanzu.vmware.com/security/cve-2022-31692

https://security.netapp.com/advisory/ntap-20221215-0010/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Oct 29, 2023
👾
Exploit known to exist
Oct 29, 2023
Vulnerability published
Oct 31, 2022
Vulnerability Reserved
May 25, 2022