CVE-2022-31692 - Authorization Bypass

Severity: None2022-11-18

Security Advisories


Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v2.1.3 and olderNone Oxygen Feedback 2.1.4 build 2022111716
Oxygen Content Fusion v5.0.1 and olderNone Content Fusion 5.0.2 build 2022121305





Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31692 vulnerability description. However, the Oxygen products are not configured as described in the vulnerability description. For that reason, Oxygen XML products are not affected by this vulnerability

Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

List of Security Advisories