Spring Security Authorization Bypass Vulnerability in Method Annotations on Parameterized Types

A vulnerability exists in Spring Security versions 6.4.0 through 6.4.9 and 6.5.0 through 6.5.3, where the annotation detection mechanism may fail to properly resolve annotations on methods within type hierarchies that have a parameterized super type with unbounded generics. This issue can lead to an authorization bypass when using method security annotations such as @PreAuthorize. The vulnerability affects applications that utilize Spring Security's @EnableMethodSecurity feature and apply security annotations on methods in generic superclasses or interfaces.

Impact

Exploitation of this vulnerability can result in unauthorized access to methods that should be protected by security annotations, allowing users to bypass authorization checks and potentially access sensitive resources or functionality.

Remediation

Users of affected versions should upgrade to Spring Security 6.4.10 or 6.5.4. If an upgrade is not possible, ensure that all secured target methods are declared in their target class.