Workaround for CVE-2022-41923: Privilege Management Vulnerability
Summary
The vulnerability CVE-2022-41923 found in the unpatched Grails Spring Security Core (GSSC) plugin can result in improper privilege management. This repository describes how to work around the issue.
If you are using an unpatched version of the plugin, we recommend highly that you upgrade to a patched version. If you are unable to upgrade immediately, we encourage you to implement the workaround described in this document. This is especially important if you are using GSSC plugin version 2.x, as no patch is available for version 2.x.
Preparation
In order to correctly configure the workaround, you need to know:
-
The version of the GSSC plugin your application employs. Look for the version number in your
build.gradle
file. (For Grails 2.x, look in theBuildConfig.groovy
file). -
What security configuration type you are using: that is, the configuration value for
grails.plugin.springsecurity.securityConfigType
Config Value | Documentation Reference |
---|---|
Annotation (default) |
Secured Annotations |
InterceptUrlMap |
Static Map |
Requestmap |
Requestmap Instances |
Note: In all the instructions and configuration below, the demo
package is used.
Change this package appropriately for your application and the location you place the patched source files.
Workaround for GSSC Plugin (versions 3.x - 5.x)
Determine the workaround class you need based on your security configuration type.
Config Value | Workaround Class |
---|---|
Annotation |
PatchedAnnotationFilterInvocationDefinition |
InterceptUrlMap |
PatchedInterceptUrlMapFilterInvocationDefinition |
Requestmap |
PatchedRequestmapFilterInvocationDefinition |
Copy the corresponding source file into your src/main/groovy
source tree.
Finally, add the following configuration to your application.groovy
config file,
replacing PatchedAnnotationFilterInvocationDefinition
with the needed workaround class.
grails.plugin.springsecurity.objectDefinitionSourceBeanClass = 'demo.PatchedAnnotationFilterInvocationDefinition'
Workaround for GSSC Plugin (version 2.x)
As above, determine the workaround class you need based on your security configuration type.
Copy the corresponding source file into your src/groovy
source tree.
Then edit your bean configuration based on your application's security configuration type.
Security Config Type: Annotation
If using security configuration type Annotation
, edit the grails-app/conf/spring/resources.groovy
to include:
import demo.PatchedAnnotationFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils
beans = {
def conf = SpringSecurityUtils.securityConfig
objectDefinitionSource(demo.PatchedAnnotationFilterInvocationDefinition) {
application = ref('grailsApplication')
grailsUrlConverter = ref('grailsUrlConverter')
responseMimeTypesApi = ref('responseMimeTypesApi')
boolean lowercase = conf.controllerAnnotations.lowercase
if (conf.rejectIfNoRule instanceof Boolean) {
rejectIfNoRule = conf.rejectIfNoRule
}
}
// ... existing bean configuration ...
}
Security Config Type: Static Map
If using security configuration type InterceptUrlMap
, edit the grails-app/conf/spring/resources.groovy
to include:
import demo.PatchedInterceptUrlMapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils
beans = {
def conf = SpringSecurityUtils.securityConfig
objectDefinitionSource(demo.PatchedInterceptUrlMapFilterInvocationDefinition) {
if (conf.rejectIfNoRule instanceof Boolean) {
rejectIfNoRule = conf.rejectIfNoRule
}
}
// ... existing bean configuration ...
}
Security Config Type: Requestmap Instances
If using security configuration type Requestmap
, edit the grails-app/conf/spring/resources.groovy
to include:
import demo.PatchedRequestmapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils
beans = {
def conf = SpringSecurityUtils.securityConfig
objectDefinitionSource(demo.PatchedRequestmapFilterInvocationDefinition) {
if (conf.rejectIfNoRule instanceof Boolean) {
rejectIfNoRule = conf.rejectIfNoRule
}
}
// ... existing bean configuration ...
}
More Information
For additional information on this vulnerability, please see the Grails blog post.
Discussion and questions can be directed to this Grails Spring Security Core plugin issue on GitHub.