Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31692

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

Published

2022-10-31T20:15:12.783

Last Modified

2025-05-06T16:15:23.147

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-639

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_security	< 5.6.9	Yes
Application	vmware	spring_security	< 5.7.5	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes

References

https://security.netapp.com/advisory/ntap-20221215-0010/ Third Party Advisory ([email protected])
https://tanzu.vmware.com/security/cve-2022-31692 Mitigation, Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20221215-0010/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tanzu.vmware.com/security/cve-2022-31692 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)