Spring Security Authorization Bypass Vulnerability in Method Annotations on Parameterized Types

A vulnerability in Spring Security versions 6.4.0 to 6.4.3 may lead to an authorization bypass by incorrectly handling method security annotations on parameterized types or methods. This issue arises when '@EnableMethodSecurity' is used, and method security annotations are placed on parameterized superclasses, interfaces, or overridden methods without corresponding annotations on the target methods. In such cases, the target methods might be invoked without proper authorization.

Impact

Exploitation of this vulnerability could allow unauthorized access to methods that should be protected by security annotations, potentially leading to unauthorized actions or data exposure within the application.

Remediation

Users of affected Spring Security versions should upgrade to version 6.4.4. If an upgrade is not possible, ensure that method security annotations are applied to target methods rather than their parameterized ancestors, or publish an 'AuthorizationManagerBeforeMethodInterceptor' that correctly identifies annotations on parameterized types.