CVE-2022-31692 Overview
CVE-2022-31692 is a critical authorization bypass vulnerability in VMware Spring Security that allows attackers to circumvent security rules through forward or include dispatcher types. This flaw enables unauthorized access to protected endpoints by exploiting the way Spring Security handles request forwarding and inclusion mechanisms.
The vulnerability specifically affects applications that configure Spring Security's AuthorizationFilter to apply security checks to forward and include dispatcher types. When an application forwards or includes a request to a higher privilege-secured endpoint, the authorization rules may be bypassed entirely, potentially exposing sensitive functionality to unauthenticated or lower-privileged users.
Critical Impact
Attackers can bypass authentication and authorization controls to access privileged endpoints, potentially leading to complete compromise of application security and unauthorized access to sensitive data or administrative functions.
Affected Products
- VMware Spring Security versions 5.7 prior to 5.7.5
- VMware Spring Security versions 5.6 prior to 5.6.9
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
Discovery Timeline
- 2022-10-31 - CVE-2022-31692 published to NVD
- 2025-05-06 - Last updated in NVD database
Technical Details for CVE-2022-31692
Vulnerability Analysis
This authorization bypass vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) occurs when specific conditions align in a Spring Security configuration. The vulnerability manifests when all of the following conditions are true:
- The application expects Spring Security to apply security to forward and include dispatcher types
- The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method
- The FilterChainProxy is configured to apply to forward and/or include requests (e.g., spring.security.filter.dispatcher-types = request, error, async, forward, include)
- The application may forward or include requests to higher privilege-secured endpoints
- Spring Security is configured to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
When these conditions are met, the security framework fails to properly enforce authorization rules during request forwarding or inclusion, allowing attackers to reach protected resources without proper authentication or authorization.
Root Cause
The root cause lies in how Spring Security's AuthorizationFilter processes forward and include dispatcher types. When a request is forwarded or included internally by the application, the security filter chain does not properly re-evaluate authorization rules for the target endpoint. This creates a scenario where the original request's authorization context is incorrectly applied to the forwarded or included request, even when targeting endpoints with stricter security requirements.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can craft malicious requests that trigger the application to forward or include the request to a privileged endpoint. By manipulating the request flow through publicly accessible entry points, attackers can effectively bypass authorization checks and access administrative or restricted functionality.
The attack typically involves:
- Identifying publicly accessible endpoints that perform internal forwarding or inclusion
- Crafting requests that cause the application to forward to protected resources
- Exploiting the authorization bypass to access privileged functionality
- Potentially escalating access to sensitive data or administrative operations
For detailed exploitation techniques and technical analysis, refer to the VMware Security Advisory.
Detection Methods for CVE-2022-31692
Indicators of Compromise
- Unusual access patterns to administrative or privileged endpoints from unauthenticated sessions
- Log entries showing successful access to protected resources without corresponding authentication events
- Requests containing forward or include patterns targeting sensitive application paths
- Anomalous traffic patterns where low-privilege requests result in high-privilege operations
Detection Strategies
- Monitor Spring Security audit logs for authorization decisions that bypass expected access controls
- Implement application-level logging to track request forwarding and inclusion operations
- Deploy web application firewall rules to detect suspicious request patterns targeting forward/include mechanisms
- Use SentinelOne Singularity platform to detect anomalous application behavior and unauthorized access attempts
Monitoring Recommendations
- Enable verbose logging for Spring Security's AuthorizationFilter to capture authorization decisions
- Configure alerting for access to sensitive endpoints that doesn't match expected authentication patterns
- Implement runtime application self-protection (RASP) to detect and block authorization bypass attempts
- Review application logs regularly for evidence of unauthorized endpoint access
How to Mitigate CVE-2022-31692
Immediate Actions Required
- Upgrade Spring Security to version 5.7.5 or later for the 5.7.x branch
- Upgrade Spring Security to version 5.6.9 or later for the 5.6.x branch
- Review application configurations for vulnerable dispatcher type settings
- Audit endpoint access controls and forward/include operations in your application
Patch Information
VMware has released patched versions that address this vulnerability. Organizations should upgrade to Spring Security 5.7.5 or 5.6.9 depending on their current version branch. Refer to the VMware Security Advisory for official patch guidance. NetApp customers should consult the NetApp Security Advisory for Active IQ Unified Manager updates.
Workarounds
- Disable the shouldFilterAllDispatcherTypes(true) configuration if not strictly required
- Remove forward and include from the spring.security.filter.dispatcher-types configuration
- Implement additional authorization checks at the controller level for sensitive operations
- Use request matchers to explicitly deny access to privileged endpoints via forward/include dispatcher types
# Configuration example - Restrict dispatcher types in application.properties
spring.security.filter.dispatcher-types=request,error,async
# Avoid including 'forward' and 'include' unless absolutely necessary
# Review all endpoints that use RequestDispatcher.forward() or include()
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
