CVE-2022-31692: 
Java vulnerability analysis and mitigation

Spring Security versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 contain an authorization rules bypass vulnerability (CVE-2022-31692) that could allow unauthorized access to protected endpoints. The vulnerability was discovered by Osword from SGLAB of Legendsec at Qi'anxin Group and was publicly disclosed on October 31, 2022 (Spring Security).

The vulnerability occurs when Spring Security is configured to apply security to forward and include dispatcher types. The bypass is possible when the application uses the AuthorizationFilter (either manually or via authorizeHttpRequests() method), configures FilterChainProxy for forward/include requests, and configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true). The issue stems from Spring Security 5's default behavior of not applying filters more than once to a request, and the FilterChainProxy not being configured for forward and include dispatcher types by default (Spring Security, Snyk Blog).

When successfully exploited, this vulnerability allows attackers to bypass authorization rules and access endpoints that require higher privileges without proper authentication. This could lead to unauthorized access to sensitive data, potential data modification, and exposure of protected resources (Red Hat, NVD).

Users should upgrade to Spring Security version 5.7.5 or beyond for the 5.7.x branch, or to version 5.6.9 for the 5.6.x branch. For users unable to upgrade, a workaround is available by using authorizeRequests().filterSecurityInterceptorOncePerRequest(false) instead of authorizeHttpRequests().shouldFilterAllDispatcherTypes(true). For versions below 5.7.0, users should implement an ObjectPostProcessor to properly configure request filtering (Spring Security).