spring-security SecurityContext vulnerability 

Issue date: 21-09-2021
Affects versions: 13.4, 12.6

Security Issue ID

SECURITY-242

 

Affected Product Version(s)

12.6.16, 13.4.9 and previous releases.


Severity 

high


Description

 

CVE-2021-22112 

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

This vulnerability will only be triggered for customers that have customized their project to use the specific Spring Security feature described above, e.g. to build a "user impersonation" feature. The standard product features are not vulnerable.

Because the version of Spring Security being used in the version 12.x line is no longer actively maintained, there is no backwards compatible fix available. Since most customer projects are not affected by this vulnerability, we have chosen not to upgrade this dependency. If you are affected, we recommend upgrading to the most recent release in the 13.x or 14.x line.

Instructions

Customers using the 13.x major version are recommended to upgrade to the latest version in that series. Customers using the 12.x major version are recommended to upgrade to the latest 13.x or 14.x version.