Description

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/02/19/7

https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3E

https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3E

https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b%40%3Cissues.nifi.apache.org%3E

https://tanzu.vmware.com/security/cve-2021-22112

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Related Vulnerabilities

CVE-2019-1003069 Vulnerability in maven package org.jenkins-ci.plugins:aqua-security-scanner

CVE-2019-20503 Vulnerability in npm package electron

CVE-2020-2143 Vulnerability in maven package org.jenkins-ci.plugins:logstash

CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master

CVE-2019-16567 Vulnerability in maven package org.jenkins-ci.plugins:teamconcert

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory Patch NVD-CWE-noinfo