CVE-2024-38827

Authorization Bypass
Affects
Spring Security
<=5.7.13, >=5.8.0 <=5.8.15, >=6.0.0 <=6.0.13, >=6.1.0 <=6.1.11, >=6.2.0 <=6.2.7, >=6.3.0 <=6.3.4
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

Similar to CVE-2024-38820, an improper locale vulnerability (CVE-2024-38827) has been identified in Spring Security, which could potentially result in authorization rules not working properly.

This issue affects multiple versions of Spring Security.

Details

Module Info

  • Product: Spring Security
  • Affected packages: spring-security-cas, spring-security-config, spring-security-core, spring-security-crypto, spring-security-data, spring-security-ldap, spring-security-oauth2-client, spring-security-taglibs, spring-security-web
  • Affected versions: <=5.7.13, >=5.8.0 <=5.8.15, >=6.0.0 <=6.0.13, >=6.1.0 <=6.1.11, >=6.2.0 <=6.2.7, >=6.3.0 <=6.3.4
  • GitHub repository: https://github.com/spring-projects/spring-security
  • Package manager: Maven
  • Fixed in: Spring NES v5.7.15, v5.8.17

Vulnerability Info

The methods String.toLowerCase() and String.toUpperCase() in Java perform case conversions based on locale-specific rules. These rules can vary significantly depending on the locale being used, potentially leading to unexpected behavior in string comparisons or transformations. For example, certain characters in the Turkish locale (e.g., 'i' and 'I') have distinct case-mapping rules that differ from the default behavior.

In the context of CVE-2024-38820, this behavior becomes a security concern if these methods are used in systems involving authorization logic. If a string representing a user's role, permission, or identifier is transformed using these methods, locale-specific exceptions could result in mismatches or improper validation. This can lead to authorization bypass or denial of legitimate access.

Steps To Reproduce

This issue affects multiple packages in spring-security for general reproduction see the related CVE-2024-38820.

Credits

Mitigation

Spring Security 5.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Vulnerability Details
ID
CVE-2024-38827
PROJECT Affected
Spring Security
Versions Affected
<=5.7.13, >=5.8.0 <=5.8.15, >=6.0.0 <=6.0.13, >=6.1.0 <=6.1.11, >=6.2.0 <=6.2.7, >=6.3.0 <=6.3.4
Published date
November 19, 2024
≈ Fix date
November 19, 2024
Severity
Medium
Category
Authorization Bypass