Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-41923

CVE-2022-41923: Grails Spring Security Escalation Flaw

CVE-2022-41923 is a privilege escalation vulnerability in Grails Spring Security Core plugin that allows attackers to access endpoints using donor endpoint privileges. This article covers technical details, affected versions, and patches.

Published:

CVE-2022-41923 Overview

CVE-2022-41923 is a critical privilege escalation vulnerability in the Grails Spring Security Core plugin. The vulnerability allows an attacker to access a targeted endpoint using the authorization requirements of a different donor endpoint. In affected Grails framework applications, access to the targeted endpoint may be granted based on meeting the authorization requirements of the donor endpoint, enabling unauthorized access to protected resources.

Critical Impact

This authorization bypass vulnerability allows attackers to escalate privileges by exploiting improper access control, potentially gaining unauthorized access to sensitive functionality and data within affected Grails applications.

Affected Products

  • Grails Spring Security Core plugin versions 1.x
  • Grails Spring Security Core plugin versions 2.x
  • Grails Spring Security Core plugin versions >=3.0.0 <3.3.2
  • Grails Spring Security Core plugin versions >=4.0.0 <4.0.5
  • Grails Spring Security Core plugin versions >=5.0.0 <5.1.1

Discovery Timeline

  • 2022-11-23 - CVE CVE-2022-41923 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-41923

Vulnerability Analysis

This vulnerability is classified under CWE-269 (Improper Privilege Management) and CWE-863 (Incorrect Authorization). The flaw resides in the authorization mechanism of the Grails Spring Security Core plugin, where the calculateUri method incorrectly determines which endpoint's authorization requirements should be applied to incoming requests.

The authorization bypass occurs when the plugin fails to properly map incoming HTTP requests to their intended security constraints. An attacker can craft requests that cause the security framework to evaluate authorization against a different endpoint (the "donor" endpoint) rather than the actual targeted endpoint. If the donor endpoint has weaker or different authorization requirements, the attacker gains access to functionality they should not have permission to use.

Root Cause

The root cause lies in the calculateUri method within the security interception classes located in the grails.plugin.springsecurity.web.access.intercept package. The affected classes include:

  • AnnotationFilterInvocationDefinition
  • InterceptUrlMapFilterInvocationDefinition
  • RequestmapFilterInvocationDefinition

The method incorrectly calculates the URI used for authorization decisions, causing a mismatch between the actual request destination and the security constraints being evaluated. This URI calculation error enables the privilege escalation attack vector.

Attack Vector

The vulnerability is exploitable over the network without authentication. An attacker can send specially crafted HTTP requests to a Grails application using the vulnerable plugin. By manipulating request parameters or paths, the attacker causes the security framework to evaluate the wrong set of authorization rules, effectively bypassing intended access controls.

The attack does not require user interaction and can be performed by any remote attacker who can reach the affected application. The vulnerability affects applications regardless of their specific security configuration, as long as they use one of the vulnerable versions of the Grails Spring Security Core plugin.

For detailed technical analysis and proof-of-concept information, see the GitHub Security Advisory and the Grails Blog CVE Analysis.

Detection Methods for CVE-2022-41923

Indicators of Compromise

  • Unexpected access to privileged endpoints by unauthenticated or low-privileged users
  • Application logs showing authorization grants for endpoints the user should not have access to
  • Anomalous patterns in HTTP request paths or URI structures in access logs
  • Discrepancies between authenticated user roles and accessed resources

Detection Strategies

  • Review application access logs for users accessing endpoints beyond their authorized scope
  • Implement monitoring for authorization decision patterns that deviate from expected behavior
  • Deploy application security testing tools to identify authorization bypass conditions
  • Audit security configurations across all Grails applications using the Spring Security Core plugin

Monitoring Recommendations

  • Enable detailed logging for security interception events in Grails applications
  • Monitor for suspicious request patterns targeting sensitive administrative endpoints
  • Implement alerts for authorization grants that do not match expected user permission profiles
  • Correlate access patterns across endpoints to detect potential privilege escalation attempts

How to Mitigate CVE-2022-41923

Immediate Actions Required

  • Update Grails Spring Security Core plugin to patched versions: 3.3.2, 4.0.5, or 5.1.1 depending on your version branch
  • Implement the workaround override for the calculateUri method if immediate patching is not possible
  • Review application logs for evidence of exploitation prior to patching
  • Audit all endpoints and their authorization requirements after applying fixes

Patch Information

Grails has released patched versions of the Spring Security Core plugin to address this vulnerability:

  • Version 3.3.2 for the 3.x branch
  • Version 4.0.5 for the 4.x branch
  • Version 5.1.1 for the 5.x branch

Note that no patch is available for versions 1.x and 2.x of the plugin. Organizations using these legacy versions must implement the workaround or migrate to a supported version.

For additional patch details and guidance, refer to the GitHub PoC Repository and Grails Blog CVE Analysis.

Workarounds

  • Create a subclass extending the appropriate class from grails.plugin.springsecurity.web.access.intercept package based on your security configuration
  • Override the calculateUri method to use UrlPathHelper.defaultInstance.getRequestUri(request) instead of the vulnerable implementation
  • Apply the workaround to the correct class: AnnotationFilterInvocationDefinition, InterceptUrlMapFilterInvocationDefinition, or RequestmapFilterInvocationDefinition
  • This workaround is especially critical for version 2.x users, as no official patch exists for that version branch
groovy
# Workaround configuration - Override calculateUri method
# Create a subclass extending your security configuration class

@Override
protected String calculateUri(HttpServletRequest request) {
    UrlPathHelper.defaultInstance.getRequestUri(request)
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne