Spring Security Authorization Bypass Vulnerability (CVE-2022-22978)

May 26, 2022 GMT+08:00

I. Overview

Recently, VMware officially released a security advisory, disclosing an identity authentication bypass vulnerability (CVE-2022-22978) in specific versions of Spring Security. Spring Security uses RegexRequestMatcher with the regular expression to configure permissions. Applications using RegexRequestMatcher with a dot (.) in the regular expression allow attackers to construct malicious data packets to bypass identity authentication. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.

Spring Security is a security framework that provides a declarative access control solution for Spring-based enterprise applications. If you are a Spring Security user, check your system and implement timely security hardening.

Reference link: CVE-2022-22978: Authorization Bypass in RegexRequestMatcher

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Spring Security 5.5.x < 5.5.7

Spring Security 5.6.x < 5.6.4

Other early Spring Security versions may also be affected.

Secure versions:

Spring Security 5.5.x >= 5.5.7

Spring Security 5.6.x >= 5.6.4

IV. Vulnerability Handling

Currently, secure versions have been released. You are advised to upgrade Spring Security to a secure version.

https://github.com/spring-projects/spring-security/tags

HUAWEI CLOUD WAF can defend against this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.