Grails Spring Security Core Plugin Improper Privilege Management Vulnerability
November 22, 2022
Information regarding CVE-2022-41923
Overview
The Grails team has confirmed a security vulnerability found in the Grails Spring Security Core plugin, initially identified by Adrien Peter and Benjamin Sepe from Synacktiv, and investigated and reported by Arek Bazylewicz of ID5. This vulnerability has been assigned identifier CVE-2022-41923.
The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack.
Impacted Applications
Grails Spring Security Core plugin versions:
- 1.x
- 2.x
- >=3.0.0 <3.3.2
- >=4.0.0 <4.0.5
- >=5.0.0 <5.1.1
We strongly suggest that all Grails framework applications using the Grails Spring Security Core plugin be updated to a patched release of the plugin.
Protecting Your Applications
The following Grails Spring Security Core plugin versions have been patched for this vulnerability:
The best way to protect your Grails framework application is to upgrade to a patched release of this plugin.
If you are unable to upgrade to a patched version of the plugin, you can work around the issue with a small code and configuration change described in this GitHub repository. We have provided workaround examples for Grails framework 2 through 5 applications. A demonstration of the vulnerability will be provided in time, after users have an opportunity to patch their applications.
Looking Forward
The Grails Foundation and the Grails development team take application security very seriously. We are continuing to research and monitor this vulnerability and will update this post with new information as it is discovered.
If you have questions about this vulnerability or need assistance on upgrades or workarounds, please see the discussion on GitHub or contact us at [email protected].