CVE-2022-31690
spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.
Spring Security, las versiones 5.7 anteriores a 5.7.5 y 5.6 anteriores a 5.6.9 y las versiones anteriores no compatibles podrían ser susceptibles a una escalada de privilegios bajo ciertas condiciones. Un usuario malicioso o un atacante puede modificar una solicitud iniciada por el Cliente (a través del navegador) al Servidor de Autorización, lo que puede provocar una escalada de privilegios en la aprobación posterior. Este escenario puede ocurrir si el Servidor de Autorización con OAuth2 Access Token Response que contiene una lista de alcance vacía (según RFC 6749, sección 5.1) en la solicitud posterior al extremo del token para obtener el token de acceso.
A flaw was found in the Spring Security framework. Spring Security could allow a remote attacker to gain elevated privileges on the system. By modifying a request initiated by the Client (via the browser) to the Authorization Server, an attacker can gain elevated privileges on the system.
Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-25 CVE Reserved
- 2022-10-31 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20221215-0010 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://tanzu.vmware.com/security/cve-2022-31690 | 2023-08-08 | |
| https://access.redhat.com/security/cve/CVE-2022-31690 | 2023-04-27 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2162200 | 2023-04-27 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 5.6.0 < 5.6.9 Search vendor "Vmware" for product "Spring Security" and version " >= 5.6.0 < 5.6.9" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 5.7.0 < 5.7.5 Search vendor "Vmware" for product "Spring Security" and version " >= 5.7.0 < 5.7.5" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||