Описание
Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true:
- You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and
- You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization. You are not affected if:
- You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or
- You have no Spring Security-annotated private methods
A flaw was found in Spring Security Aspects. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to improperly locating method security annotations on private methods. An attacker could invoke the target method without proper authorization by exploiting this vulnerability.
Отчет
Red Hat build of Apache Camel for Spring Boot 4 does not use org.springframework.security:spring-security-aspects. We don't have this anywhere in camel/camel-spring-boot and we have no direct vulnerability in CSB. The risk lies with spring-boot-dependencies 3.4.5, which could pull in the vulnerable spring-security-aspects if explicitly added by a user.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | spring-security-core | Not affected | ||
| OpenShift Developer Tools and Services | jenkins | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | spring-security-core | Affected | ||
| Red Hat build of Quarkus | quarkus-bom | Not affected | ||
| Red Hat Data Grid 8 | spring-security-core | Not affected | ||
| Red Hat Fuse 7 | org.apache.servicemix.bundles.spring-security-core | Not affected | ||
| Red Hat Fuse 7 | spring-security-core | Not affected | ||
| Red Hat Integration Camel K 1 | spring-security-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | spring-security-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | spring-security-core | Not affected |
Показывать по
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and * You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization. You are not affected if: * You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or * You have no Spring Security-annotated private methods
Spring Security Aspects may not correctly locate method security annot ...
Spring Security authorization bypass for method security annotations on private methods
Уязвимость конфигурации @EnableMethodSecurity(mode=ASPECTJ) или spring-security-aspects Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю обойти процедуру авторизации
7.4 High
CVSS3