CVE-2022-31692 - Authorization Bypass
Severity: None2022-11-18
Abstract
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback v2.1.3 and older | None | Oxygen Feedback 2.1.4 build 2022111716 |
Oxygen Content Fusion v5.0.1 and older | None | Content Fusion 5.0.2 build 2022121305 |
Detail
CVE-2022-31692
Severity: Critical
CVSS Score: 9.8
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31692 vulnerability description. However, the Oxygen products are not configured as described in the vulnerability description. For that reason, Oxygen XML products are not affected by this vulnerability
Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.