Spring Security is a powerful authentication and access control framework for Java applications, particularly those built using Spring Framework. It provides a comprehensive security solution, addressing various concerns such as authentication, authorization, and protection against common security vulnerabilities.
Authorization Bypass through User-Controlled Key takes place when the system’s authorization functionality does not prevent one user from gaining access to another user’s data or record by modifying the key value identifying the data.
In this CVE, Spring Security is impacted by Authorization Bypass for Case Sensitive Comparisons in Spring Security. It is an equivalent of CVE-2024-38820 but for Spring Security. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
This issue affects multiple versions of:
org.springframework.security:spring-security-taglibs package.
org.springframework.security:spring-security-cas package, org.springframework.security:spring-security-config package,
Org.springframework.security:spring-security-core package,
Org.springframework.security:spring-security-crypto package,
Org.springframework.security:spring-security-data package,
Org.springframework.security:spring-security-ldap package, org.springframework.security:spring-security-oauth2-client package, org.springframework.security:spring-security-taglibs package, org.springframework.security:spring-security-web package.
Tech Support
Documentation
Login
Contact Us
