CVE-2022-41923: Grails Spring Security Core Plugin Vulnerable to Privilege Escalation

The Grails Spring Security Core (GSSC) plugin is an essential component for many Grails framework applications, providing authentication and authorization services. However, a recently discovered vulnerability, identified as CVE-2022-41923, has put these applications at risk for privilege escalation attacks. This post will discuss the details of the vulnerability, provide code snippets, links to the original references, and explain how to address the issue in affected applications.

Vulnerability Details

This privilege escalation vulnerability allows an attacker to gain access to one endpoint (the targeted endpoint) by using the authorization requirements of a different endpoint (the donor endpoint). In some Grails framework applications, access to the targeted endpoint is granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack.

The vulnerability affects the Grails Spring Security Core plugin versions 1.x, 2.x, >=3.. <3.3.2, >=4.. <4..5, and >=5.. <5.1.1. The issue has been fixed in the grails-spring-security-core versions 3.3.2, 4..5, and 5.1.1. The official CVE Mitre report for this vulnerability can be found here.

It is highly recommended that all Grails framework applications using the Grails Spring Security Core plugin update to a patched release of the plugin. For users unable to update immediately, a workaround is available, which involves creating a subclass that extends specific classes from the grails.plugin.springsecurity.web.access.intercept package, depending on the security configuration:

* AnnotationFilterInvocationDefinition
* InterceptUrlMapFilterInvocationDefinition
* RequestmapFilterInvocationDefinition

In each case, the subclass should override the calculateUri method like so

@Override
protected String calculateUri(HttpServletRequest request) {
    UrlPathHelper.defaultInstance.getRequestUri(request)
}

This workaround should be considered a temporary measure, as the patched versions of grails-spring-security-core deprecates the calculateUri method. Once upgraded to a patched version of the plugin, this workaround is no longer needed. It is especially important to apply this workaround for version 2.x, as no patch is available for this version of the GSSC plugin.

Conclusion

CVE-2022-41923 is a critical vulnerability that could lead to privilege escalation attacks on Grails framework applications using the Grails Spring Security Core plugin. Developers and administrators must take appropriate steps to update the affected plugin or apply the suggested workaround to mitigate the risk of exploitation. As always, it is essential to keep software up-to-date to ensure the security and integrity of applications and systems.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 07/10/2023 16:39:00 UTC