spring-security SecurityContext vulnerability
Issue date: 21-09-2021Affects versions: 13.4, 12.6
Security Issue ID
SECURITY-242
Affected Product Version(s)
12.6.16, 13.4.9 and previous releases.
Severity
high
Description
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
This vulnerability will only be triggered for customers that have customized their project to use the specific Spring Security feature described above, e.g. to build a "user impersonation" feature. The standard product features are not vulnerable.
Because the version of Spring Security being used in the version 12.x line is no longer actively maintained, there is no backwards compatible fix available. Since most customer projects are not affected by this vulnerability, we have chosen not to upgrade this dependency. If you are affected, we recommend upgrading to the most recent release in the 13.x or 14.x line.
Instructions
Customers using the 13.x major version are recommended to upgrade to the latest version in that series. Customers using the 12.x major version are recommended to upgrade to the latest 13.x or 14.x version.