Cyber Security News

CVE-2024-38810: Spring Security Flaw Leaves Applications Open to Unauthorized Access

Cyware

Summary: A critical vulnerability (CVE-2024-38810) has been identified in Spring Security, which could allow unauthorized access to sensitive data in applications using specific configurations. Users are advised to upgrade to version 6.3.2 to mitigate this risk.

Threat Actor: Unknown | unknown
Victim: Spring Security Users | Spring Security Users

Key Point :

  • A vulnerability in Spring Security versions 6.3.0 and 6.3.1 can lead to unauthorized access due to improper application of security annotations.
  • The issue arises when specific configurations, such as using @AuthorizeReturnObject, are implemented without the necessary security checks.
  • Users are strongly encouraged to upgrade to version 6.3.2 to ensure proper security enforcement.

A high-severity vulnerability (CVE-2024-38810) has been discovered in Spring Security, potentially allowing unauthorized access to sensitive data within affected applications. The vulnerability impacts Spring Security versions 6.3.0 and 6.3.1.

Spring Security’s powerful method security features allow developers to control access to application methods using annotations like @PreAuthorize and @PostAuthorize. However, CVE-2024-38810 reveals a significant flaw: when objects are wrapped using @AuthorizeReturnObject or the AuthorizationAdvisorProxyFactory @Bean, not all security advice may be correctly applied.

This lapse means that critical security annotations like @PreFilter, @PostFilter, @PreAuthorize, and @PostAuthorize may fail to enforce the expected security restrictions on these wrapped objects, leaving the application vulnerable to unauthorized access or data exposure.

The vulnerability was responsibly reported by Josh Cummings.

The vulnerability only affects applications meeting ALL the following conditions:

  1. Using AnnotationAwareAspectJAutoProxyCreator for auto-proxy creation
  2. Having at least one FactoryBean in the application context
  3. Enabling method security with @EnableMethodSecurity
  4. Wrapping objects using @AuthorizeReturnObject or AuthorizationAdvisorProxyFactory
  5. Using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on those wrapped objects

Users of affected Spring Security versions are urged to upgrade to version 6.3.2 immediately. This update addresses the missing authorization check and ensures proper enforcement of security advice.

Related Posts:

Source: https://securityonline.info/cve-2024-38810-spring-security-flaw-leaves-applications-open-to-unauthorized-access

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint