CVE-2022-31692
Severity
9.8CRITICAL
EPSS
8.4%
top 7.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 31
Latest updateJan 15
Description
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to app…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
4📋Vendor Advisories
5Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Common Core (Spring Security) — CVE-2022-31692↗2024-01-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Vision (Spring Security) — CVE-2022-31692↗2023-07-15
Oracle▶
Oracle Oracle Communications Risk Matrix: Authentication (Spring Security) — CVE-2022-31692↗2023-04-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: REST API (Spring Security) — CVE-2022-31692↗2023-01-15
Red Hat▶
spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security↗2022-10-31