Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject
Description
Applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects may not have all security advice applied.
When method security advice is not applied, it means that annotations like @PreFilter and @PreAuthorize may take no affect on these wrapped objects.
Note that this does not impact any @Beans that use Spring Security's method security advice.
For this to impact an application, all of the following need to be true:
AnnotationAwareAspectJAutoProxyCreatormust be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via@EnableAspectJAutoProxyor enabled by Spring Boot by virtue of usingspring-aspectsor a starter that usesspring-aspects- The application must have at least one
FactoryBeanpresent in the application context - The application must enable method security with
@EnableMethodSecurity - The application must be wrapping objects using the
@AuthorizeReturnObjectannotation or theAuthorizationAdvisorProxyFactory@Beanproduced by Spring Security - The application must be using
@PreFilter,@PostFilter,@PreAuthorize, or@PostAuthorizeon those wrapped objects
If all of these are true, then some of the method security advice may not be applied to the objects wrapped by @AuthorizeReturnObject or AuthorizationAdvisorProxyFactory.
Applications where any of the following are true are not impacted:
- The application is not using
@PreFilter,@PostFilter,@PreAuthorize, or@PostAuthorizeon any wrapped objects - The application is not using
@EnableMethodSecurityto enable method security - The application is not using
@AuthorizeReturnObjector theAuthorizationAdvisorProxyFactory@Beanproduced by Spring Security - The application doesn't have any
FactoryBeans - The application is not using
AnnotationAwareAspectJAutoProxyCreatorfor auto-proxy creation
Affected Spring Products and Versions
This affects the following Spring Security versions:
- 6.3.0 and 6.3.1
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 6.3.x | 6.3.2 | OSS |
No other mitigation steps are necessary.
Credit
This issue was responsibly reported by Josh Cummings.
References
- Spring Security Reference - https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#authorize-object
History
- 2024-08-19 - Initial Report Published
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all