Understanding the Vulnerability
CVE-2022-31692 revealed a critical flaw in Spring Security versions 5.6.x through 5.7.4, scoring 9.8 on the National Vulnerability Database. Applications using RegexRequestMatcher with patterns ending in .* could inadvertently allow unauthorized access. An attacker could exploit this by appending a trailing slash to a URL, bypassing authorization checks.
The issue arose from Spring Security's regex matching process. For example, if you configured protection for /admin.*, a request to /admin/ would match, but the underlying servlet would route it to /admin without the trailing slash, bypassing the intended authorization.
Timeline of Events
Pre-2022: Many organizations used Spring Security 5.6.x and 5.7.x with RegexRequestMatcher configurations, such as /api/internal.* or /admin.*, to secure path prefixes.
September 2022: The Spring Security team identified the authorization bypass and assigned CVE-2022-31692.
October 2022: A fix was released in Spring Security version 5.7.5, and the vulnerability disclosure became public.
Post-disclosure: Organizations with automated dependency scanning were alerted. Those without remained vulnerable until their next upgrade.
Identifying Control Failures
Dependency Management: Without automated scanning, teams using Spring Security 5.6.x or 5.7.0-5.7.4 were unaware of the vulnerability until it was publicly disclosed.
Authorization Testing: Standard tests often miss trailing slash variations, allowing vulnerabilities to persist unnoticed.
Path Normalization: The gap between Spring Security's pattern evaluation and the servlet's request routing created a bypass.
Lack of Defense in Depth: Sole reliance on Spring Security's path-based authorization left applications without secondary controls like web application firewalls or middleware validation.
Compliance Standards
OWASP ASVS v4.0.3 Requirement 4.1.1: Ensure access control rules are enforced on a trusted service layer. Your Spring Security configuration serves this role.
OWASP ASVS Requirement 4.1.5: Access controls should fail securely. The regex matching failed to do so, allowing unauthorized requests.
PCI DSS v4.0.1 Requirement 6.3.2: Manage vulnerabilities by installing security updates. If handling payment data, upgrade to Spring Security 5.7.5 to remain compliant.
NIST 800-53 Rev 5 Control SA-11: Security testing should include path variation attacks. Most test suites lack this coverage.
ISO/IEC 27001:2022 Annex A.8.8: Implement a process to identify vulnerabilities in third-party components promptly. Manual monitoring is insufficient.
Actionable Steps for Your Team
Automate Dependency Scanning: Integrate tools like Snyk or Dependabot into your CI/CD pipeline to block builds with critical vulnerabilities. Set alerts for new CVEs affecting your dependencies.
Upgrade Immediately: Move to Spring Security 5.7.5 or later. If upgrading is not feasible, switch from RegexRequestMatcher to AntPathRequestMatcher with /** patterns for better handling of trailing slashes.
Enhance Authorization Testing: Expand test coverage to include variations like /admin/, /admin//, /admin%2F, and /admin;jsessionid=xyz.
Normalize Requests: Implement middleware to strip trailing slashes and normalize paths before authorization checks, adding a layer of defense.
Review Authorization Architecture: Consider method-level security with @PreAuthorize annotations to mitigate path manipulation risks.
Monitor CVEs: Track every library version in production and subscribe to security advisories. Ensure you are informed of vulnerabilities like CVE-2022-31692 within 24 hours.
Document Authorization Patterns: Clearly document your regex matchers and their intended protections. This will streamline retesting when new vulnerabilities are disclosed.
This vulnerability was simple to exploit. An attacker only needed to add a trailing slash. Your authorization layer, a critical security control, had a bypass. The fix required a version update. The key question is whether you were aware of this in October 2022 or only found out during a later audit.
