High severityNVD Advisory· Published Feb 23, 2021· Updated Aug 3, 2024
CVE-2021-22112
CVE-2021-22112
Description
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-bomMaven | >= 5.4.0, < 5.4.4 | 5.4.4 |
org.springframework.security:spring-security-bomMaven | >= 5.3.0, < 5.3.8 | 5.3.8 |
org.springframework.security:spring-security-bomMaven | < 5.2.9 | 5.2.9 |
org.springframework.security:spring-security-webMaven | >= 5.4.0, < 5.4.4 | 5.4.4 |
org.springframework.security:spring-security-webMaven | >= 5.3.0, < 5.3.8 | 5.3.8 |
org.springframework.security:spring-security-webMaven | < 5.2.9 | 5.2.9 |
Affected products
1- Range: 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
29- github.com/advisories/GHSA-gq28-h5vg-8prxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22112ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/02/19/7ghsamailing-listx_refsource_MLISTWEB
- github.com/spring-projects/spring-security/releases/tag/5.4.4ghsaWEB
- lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b%40%3Cissues.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3EghsaWEB
- tanzu.vmware.com/security/cve-2021-22112ghsax_refsource_MISCWEB
- www.jenkins.io/security/advisory/2021-02-19ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.