CVE-2021-22112: Privilege Escalation

February 23, 2021 (updated June 14, 2023)

Spring Security can fail to save the SecurityContext if it is changed more than once in a single request. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application’s intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

References

nvd.nist.gov/vuln/detail/CVE-2021-22112
tanzu.vmware.com/security/cve-2021-22112

Code Behaviors & Features

Detect and mitigate CVE-2021-22112 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →