CVE-2022-31692
Published: 31 October 2022
Summary
CVE-2022-31692 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vmware Spring Security. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Spring Security versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 are vulnerable to authorization bypass when an application expects the framework to enforce rules on forward and include dispatcher types. The issue manifests specifically when the AuthorizationFilter is in use (either directly or through authorizeHttpRequests()), the FilterChainProxy is explicitly configured to handle forward or include requests, and shouldFilterAllDispatcherTypes(true) is set, allowing a request to be forwarded or included to a higher-privilege endpoint that would otherwise be protected.
An unauthenticated remote attacker can exploit the flaw by crafting requests that leverage forward or include dispatcher types to reach secured resources, bypassing intended authorization checks. Successful exploitation can result in full compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.
Advisories from VMware Tanzu and NetApp reference the fixed Spring Security releases and note that the vulnerability is addressed by upgrading to the patched versions. The EPSS score rose from a low baseline to a recorded peak of 0.0838, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7386
Vulnerability details
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects…
more
that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.