Overview
Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.
An Authorization Bypass vulnerability (CVE-2022-22978) has been identified in Spring Security, which can lead to bypasses of RegexRequestMatcher on certain servlet containers, potentially leaving applications vulnerable to authorization bypass.
This issue affects multiple versions of Spring Security.
Details
Module Info
- Product: Spring Security
- Affected packages: spring-security-web
- Affected versions: <5.4.11, >=5.5.0 <5.5.7, >=5.6.x <5.6.4
- GitHub repository: https://github.com/spring-projects/spring-security
- Package manager: Maven
- Fixed in: Spring NES v4.2.22
Vulnerability Info
RegexRequestMatcher can be prone to misconfiguration, which may lead to authorization bypass on certain servlet containers. Applications using RegexRequestMatcher with a . in the regular expression could be vulnerable to such bypass issues. For more details, see the Spring Security advisory and review the CVSS impact assessment.
Steps To Reproduce
The CVE-2022-22978 in Spring Security involves bypassing RegexRequestMatcher-based authentication. By exploiting differences in character encoding (using %0a or %0d for newline characters), attackers can bypass protected endpoints. To reproduce, set up a Spring Boot app with a vulnerable Spring Security version, configure an authentication requirement for certain endpoints, and use the encoded newline characters to bypass the restriction.
@RestController
public class SecretsController {
@GetMapping("/secrets/*")
public String getSecrets() {
return "secret";
}
}
@Configuration
public class ServiceConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests()
.regexMatchers("/secrets/.*")
.authenticated();
}
}
Having the controller and configuration into the service, call GET /secrets/1 and notice the 403.
GET /secrets/%0a1 bypasses the pattern, as encoded newline characters aren’t matched properly by regexMatchers, leading to unauthorized access.
Credits
- Hiroki Nishino
- Toshiki Sasazaki
- Yoshinori Hayashi
- Jonghwan Kim
Mitigation
Spring Security 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Spring Security.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.