GHSA-293q-567p-wmwq
Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates
Details
In Spring Security Web, `SubjectDnX509PrincipalExtractor` does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.
`SubjectDnX509PrincipalExtractor` is deprecated by this CVE and replaced with `SubjectX500PrincipalExtractor`. As part of updating, you should also migrate to `SubjectX500PrincipalExtractor`.
Affected versions: Spring Security Enterprise 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10. OSS 6.5.0 through 6.5.10.
Are you affected?
Enter the version of the package you're using.
Affected packages
6.5.0 Fixed in: 6.5.11 # pom.xml: bump <version>6.5.11</version> for org.springframework.security:spring-security-web 6.4.0 No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.
6.0.0 No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.
5.8.0 No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.
0 No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.