Spring Framework Annotation Detection Vulnerability in Type Hierarchies with Unbounded Generics

A vulnerability exists in the Spring Framework's annotation detection mechanism, which may fail to accurately resolve annotations on methods within type hierarchies that have a parameterized super type with unbounded generics. This issue is particularly relevant when such annotations are utilized for authorization decisions. Applications using Spring Security's @EnableMethodSecurity feature may be affected. However, those not using @EnableMethodSecurity or security annotations on methods in generic superclasses or interfaces are not impacted.

Impact

This vulnerability could lead to incorrect authorization decisions by failing to properly resolve security annotations, potentially allowing unauthorized access to methods or resources.

Remediation

Users of Spring Framework versions 6.2.x, 6.1.x, and 5.3.x should upgrade to the respective fixed versions. Version 6.2.11 is available for open-source users, while version 6.1.23 and 5.3.45 are available through Spring's commercial offering. Users of version 6.0.x should note that this version is out of support.