advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard

Published 20 hours ago verified publisher icon github

[GHSA-9pp5-9c7g-4r83] Spring Security authorization bypass for method security annotations on private methods

Open tomabai opened this issue 4 months ago • 1 comments
trafficstars

Updates

  • Affected products
  • References

Comments The vulnerability involves both spring-security-aspects and spring-security-core. spring-security-aspects artifact is right to be flagged because the issue is only exploitable when that module (or @EnableMethodSecurity(mode = ASPECTJ)) is on the classpath.

On the other hand , the actual fix lives in spring-security-core, where the code that scans for security annotations is located. The patch changes a comparison from

if (method == candidate) { … }

to

if (method.equals(candidate)) { … }

Using equals() lets the scanner recognise the same method loaded by different class-loaders/AspectJ weaves, so the annotations are no longer skipped and the bypass is closed.

So to conclude, both packages should be flagged, also the fixing commit is in the core package which is anoth proof that this package is vulnerable. Moreover, to my understanding, if you use spring-security-core 6.4.5 and lower, even with the updated spring-security-aspects 6.4.6 you will still be vulnerable.

tomabai avatar Jun 24 '25 08:06 tomabai

Hi @tomabai, we are currently looking into this!

helixplant avatar Jun 26 '25 23:06 helixplant

@helixplant hi, is there any update?

tomabai avatar Jul 02 '25 11:07 tomabai

and now? any updates? why is it taking so long?

tomabai avatar Jul 20 '25 08:07 tomabai

Updates

  • Affected products
  • References

Comments The vulnerability involves both spring-security-aspects and spring-security-core. spring-security-aspects artifact is right to be flagged because the issue is only exploitable when that module (or @EnableMethodSecurity(mode = ASPECTJ)) is on the classpath.

On the other hand , the actual fix lives in spring-security-core, where the code that scans for security annotations is located. The patch changes a comparison from

if (method == candidate) { … }

to

if (method.equals(candidate)) { … }

Using equals() lets the scanner recognise the same method loaded by different class-loaders/AspectJ weaves, so the annotations are no longer skipped and the bypass is closed.

So to conclude, both packages should be flagged, also the fixing commit is in the core package which is anoth proof that this package is vulnerable. Moreover, to my understanding, if you use spring-security-core 6.4.5 and lower, even with the updated spring-security-aspects 6.4.6 you will still be vulnerable.

Ya-123456 avatar Jul 28 '25 13:07 Ya-123456

@helixplant any updates?

tomabai avatar Oct 15 '25 17:10 tomabai

Hi @tomabai! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

advisory-database[bot] avatar Oct 15 '25 20:10 advisory-database[bot]

Hi @tomabai. Thank you for your patience, we reached out to the CNA to confirm this information. While we have not heard back we’ve been able to validate your findings and have added org.springframework.security:spring-security-core and https://github.com/spring-projects/spring-security/commit/c972de5369a1261ab674a3f5e3a80e8ce3e8cdfb to this advisory.

helixplant avatar Oct 15 '25 20:10 helixplant