#VU68866 Improper Authorization in Spring Security - CVE-2022-31692


Vulnerability identifier: #VU68866

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-31692

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Spring Security
Server applications / Frameworks for developing and running applications

Vendor: VMware, Inc

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to authorization rules bypass via forward or include dispatcher types. A remote attacker can bypass authorization process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Spring Security: 5.6.0 - 5.6.8, 5.7.0 - 5.7.4

External links
https://tanzu.vmware.com/security/cve-2022-31692

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Common Licensing
Multiple vulnerabilities in Oracle Banking Virtual Account Management
Multiple vulnerabilities in Dell Networker
Multiple vulnerabilities in Communications Unified Assurance
Multiple vulnerabilities in Fuse 7
Multiple vulnerabilities in IBM i Modernization Engine for Lifecycle Integration
Improper authorization in IBM Maximo Application Suite
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.2
Multiple vulnerabilities in IBM InfoSphere Information Server
Improper authorization in IBM Process Mining