CVE-2022-22978

Authorization Bypass
Affects
Spring Security
<5.4.11, >=5.5.0 <5.5.7, >=5.6.x <5.6.4
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

An Authorization Bypass vulnerability (CVE-2022-22978) has been identified in Spring Security, which can lead to bypasses of RegexRequestMatcher on certain servlet containers, potentially leaving applications vulnerable to authorization bypass.

This issue affects multiple versions of Spring Security.

Details

Module Info

Vulnerability Info

RegexRequestMatcher can be prone to misconfiguration, which may lead to authorization bypass on certain servlet containers. Applications using RegexRequestMatcher with a . in the regular expression could be vulnerable to such bypass issues. For more details, see the Spring Security advisory and review the CVSS impact assessment.

Steps To Reproduce

The CVE-2022-22978 in Spring Security involves bypassing RegexRequestMatcher-based authentication. By exploiting differences in character encoding (using %0a or %0d for newline characters), attackers can bypass protected endpoints. To reproduce, set up a Spring Boot app with a vulnerable Spring Security version, configure an authentication requirement for certain endpoints, and use the encoded newline characters to bypass the restriction.

@RestController
public class SecretsController {
	@GetMapping("/secrets/*")
	public String getSecrets() {
		return "secret";
	}
}

@Configuration
public class ServiceConfiguration extends WebSecurityConfigurerAdapter {
	@Override
	public void configure(HttpSecurity httpSecurity) throws Exception {
		httpSecurity.authorizeRequests()
			.regexMatchers("/secrets/.*")
			.authenticated();
	}
}

Having the controller and configuration into the service, call GET /secrets/1 and notice the 403.

GET /secrets/%0a1 bypasses the pattern, as encoded newline characters aren’t matched properly by regexMatchers, leading to unauthorized access.

Credits

  • Hiroki Nishino
  • Toshiki Sasazaki
  • Yoshinori Hayashi
  • Jonghwan Kim

Mitigation

Spring Security 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Vulnerability Details
ID
CVE-2022-22978
PROJECT Affected
Spring Security
Versions Affected
<5.4.11, >=5.5.0 <5.5.7, >=5.6.x <5.6.4
Published date
May 16, 2022
≈ Fix date
November 22, 2024
Severity
High
Category
Authorization Bypass