View all Vulnerabilities

CVE-2022-31690

Privilege Escalation
Affects
Spring Security
in
Spring
No items found.
Versions
>= 5.7.0 < 5.7.5, < 5.6.9
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Security is a comprehensive authentication and access-control framework for Java applications. It is the standard for securing Spring-based applications, providing support for OAuth2, SAML, and other authentication protocols.

An Incorrect Privilege Assignment vulnerability (CVE-2022-31690) has been identified in Spring Security's spring-security-oauth2-client module, which handles OAuth2 login and client functionality.

An Incorrect Privilege Assignment vulnerability occurs when a system assigns broader privileges to an actor than what was intended or authorized. In this case, the Spring Security OAuth2 client incorrectly defaults to the client registration's configured scopes when the authorization server's token response contains an empty scope list. This means the client application may grant a user privileges based on its own configuration rather than what the authorization server actually authorized, leading to a privilege escalation.

This issue affects multiple versions of Spring Security's spring-security-oauth2-client package.

Details

Module Info

  • Product: Spring Security
  • Affected packages: spring-security-oauth2-client
  • Affected versions: >= 5.7.0 < 5.7.5, < 5.6.9
  • GitHub repository: https://github.com/spring-projects/spring-security
  • Published packages: https://central.sonatype.com/artifact/org.springframework.security/spring-security-oauth2-client
  • Package manager: Maven
  • Fixed In: NES for Spring Security v5.5.9

Vulnerability Info

This flaw affects Spring Security applications that rely on the OAuth2 client module to authenticate users and enforce scope-based access control. Under specific conditions, the client may end up operating with broader privileges than the authorization server intended to grant.

The vulnerability is triggered when the following conditions are present:

  • The application is configured as an OAuth2 login client
  • Access control decisions in the application depend on authorities derived from OAuth2 scopes
  • The authorization server omits or returns an empty scope field in its access token response (which is permitted by the OAuth 2.0 specification RFC 6749, Section 5.1)

When the token response lacks explicit scopes, the affected versions of spring-security-oauth2-client substitute the scopes from the application's own client registration. As a result, the authenticated session may carry authorities that were never granted by the authorization server, bypassing intended access restrictions.

Mitigation

Only recent versions of Spring Security are community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2022-31690
PROJECT Affected
Spring Security
Versions Affected
>= 5.7.0 < 5.7.5, < 5.6.9
NES Versions Affected
Published date
March 24, 2026
≈ Fix date
March 24, 2026
Fixed in
NES for Spring
Category
Privilege Escalation
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.