Spring Security TOCTOU Race Condition Vulnerability in JdbcOneTimeTokenService

A Time-of-check Time-of-use (TOCTOU) race condition vulnerability has been identified in Spring Security versions 6.4.0 through 6.4.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4. This vulnerability affects applications that configure One-Time Token login using JdbcOneTimeTokenService. The issue allows an attacker with a valid one-time token to send concurrent requests to the authentication endpoint, enabling the token to be used multiple times and create several authenticated sessions. In contrast, the default InMemoryOneTimeTokenService is thread-safe and not vulnerable to this issue.

Impact

Exploitation of this vulnerability allows a one-time token to authenticate multiple sessions, bypassing the intended single-use restriction and potentially leading to unauthorized access.

Remediation

Users of Spring Security versions 6.4.x should upgrade to 6.4.16, users of 6.5.x should upgrade to 6.5.10, and users of 7.0.x should upgrade to 7.0.5.