Cyber Resilience

CVE-2022-31692

Critical

Published: 31 October 2022

Published
31 October 2022
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0578 90.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31692 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vmware Spring Security. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Spring Security versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 are vulnerable to authorization bypass when an application expects the framework to enforce rules on forward and include dispatcher types. The issue manifests specifically when the AuthorizationFilter is in use (either directly or through authorizeHttpRequests()), the FilterChainProxy is explicitly configured to handle forward or include requests, and shouldFilterAllDispatcherTypes(true) is set, allowing a request to be forwarded or included to a higher-privilege endpoint that would otherwise be protected.

An unauthenticated remote attacker can exploit the flaw by crafting requests that leverage forward or include dispatcher types to reach secured resources, bypassing intended authorization checks. Successful exploitation can result in full compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

Advisories from VMware Tanzu and NetApp reference the fixed Spring Security releases and note that the vulnerability is addressed by upgrading to the patched versions. The EPSS score rose from a low baseline to a recorded peak of 0.0838, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects…

more

that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring security
5.6.0 — 5.6.9 · 5.7.0 — 5.7.5
netapp
active iq unified manager
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References