VDB
KO
MEDIUM 6.8

GHSA-293q-567p-wmwq

Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates

Details

In Spring Security Web, `SubjectDnX509PrincipalExtractor` does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.

`SubjectDnX509PrincipalExtractor` is deprecated by this CVE and replaced with `SubjectX500PrincipalExtractor`. As part of updating, you should also migrate to `SubjectX500PrincipalExtractor`.

Affected versions: Spring Security Enterprise 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10. OSS 6.5.0 through 6.5.10.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.springframework.security:spring-security-web
Introduced in: 6.5.0 Fixed in: 6.5.11
Fix # pom.xml: bump <version>6.5.11</version> for org.springframework.security:spring-security-web
Maven / org.springframework.security:spring-security-web
Introduced in: 6.4.0

No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.

Maven / org.springframework.security:spring-security-web
Introduced in: 6.0.0

No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.

Maven / org.springframework.security:spring-security-web
Introduced in: 5.8.0

No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.

Maven / org.springframework.security:spring-security-web
Introduced in: 0

No fixed version published yet for org.springframework.security:spring-security-web (maven). Pin to a known-safe version or switch to an alternative.

References