Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-41923 PoC — Grails Spring Security Core plugin vulnerable to privilege escalation

Source
https://github.com/grails/GSSC-CVE-2022-41923
Associated Vulnerability
Title:Grails Spring Security Core plugin vulnerable to privilege escalation (CVE-2022-41923)
Description:Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack. This vulnerability has been patched in grails-spring-security-core versions 3.3.2, 4.0.5 and 5.1.1. Impacted Applications: Grails Spring Security Core plugin versions: 1.x 2.x >=3.0.0 <3.3.2 >=4.0.0 <4.0.5 >=5.0.0 <5.1.1 We strongly suggest that all Grails framework applications using the Grails Spring Security Core plugin be updated to a patched release of the plugin. Workarounds: Users should create a subclass extending one of the following classes from the `grails.plugin.springsecurity.web.access.intercept` package, depending on their security configuration: * `AnnotationFilterInvocationDefinition` * `InterceptUrlMapFilterInvocationDefinition` * `RequestmapFilterInvocationDefinition` In each case, the subclass should override the `calculateUri` method like so: ``` @Override protected String calculateUri(HttpServletRequest request) { UrlPathHelper.defaultInstance.getRequestUri(request) } ``` This should be considered a temporary measure, as the patched versions of grails-spring-security-core deprecates the `calculateUri` method. Once upgraded to a patched version of the plugin, this workaround is no longer needed. The workaround is especially important for version 2.x, as no patch is available version 2.x of the GSSC plugin.
Readme
# Workaround for CVE-2022-41923: Privilege Management Vulnerability

## Summary 

The vulnerability [CVE-2022-41923](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41923)
found in the unpatched Grails Spring Security Core (GSSC) plugin can result in
[improper privilege management](https://cwe.mitre.org/data/definitions/269.html).
This repository describes how to work around the issue.

If you are using an unpatched version of the plugin, we recommend highly that you upgrade to a patched version.
If you are unable to upgrade immediately, we encourage you to implement the workaround described in this document.
_This is especially important if you are using GSSC plugin version 2.x, as no patch is available for version 2.x._

## Preparation

In order to correctly configure the workaround, you need to know:

* The version of the GSSC plugin your application employs. Look for the version number in your `build.gradle` file.
  (For Grails 2.x, look in the `BuildConfig.groovy` file).

* What security configuration type you are using: that is, the configuration value for
  `grails.plugin.springsecurity.securityConfigType` 
 
| Config Value           | Documentation Reference                                                                                            |
|------------------------|--------------------------------------------------------------------------------------------------------------------|
| `Annotation` (default) | [Secured Annotations](https://grails.github.io/grails-spring-security-core/latest/index.html#securedAnnotations)   |
| `InterceptUrlMap`      | [Static Map](https://grails.github.io/grails-spring-security-core/latest/index.html#configGroovyMap)               |
| `Requestmap`           | [Requestmap Instances](https://grails.github.io/grails-spring-security-core/latest/index.html#requestmapInstances) |

Note: In all the instructions and configuration below, the `demo` package is used.
Change this package appropriately for your application and the location you place the patched source files.

## Workaround for GSSC Plugin (versions 3.x - 5.x)

Determine the workaround class you need based on your security configuration type.

| Config Value      | Workaround Class                                   |
|-------------------|----------------------------------------------------|
| `Annotation`      | `PatchedAnnotationFilterInvocationDefinition`      |
| `InterceptUrlMap` | `PatchedInterceptUrlMapFilterInvocationDefinition` |
| `Requestmap`      | `PatchedRequestmapFilterInvocationDefinition`      |

Copy the corresponding source file into your `src/main/groovy` source tree.

Finally, add the following configuration to your `application.groovy` config file,
replacing `PatchedAnnotationFilterInvocationDefinition` with the needed workaround class.

```groovy
grails.plugin.springsecurity.objectDefinitionSourceBeanClass = 'demo.PatchedAnnotationFilterInvocationDefinition'
```

## Workaround for GSSC Plugin (version 2.x)

As above, determine the workaround class you need based on your security configuration type.
Copy the corresponding source file into your `src/groovy` source tree.
Then edit your bean configuration based on your application's security configuration type.

#### Security Config Type: Annotation

If using security configuration type `Annotation`, edit the `grails-app/conf/spring/resources.groovy` to include:
```groovy
import demo.PatchedAnnotationFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedAnnotationFilterInvocationDefinition) {
        application = ref('grailsApplication')
        grailsUrlConverter = ref('grailsUrlConverter')
        responseMimeTypesApi = ref('responseMimeTypesApi')
        boolean lowercase = conf.controllerAnnotations.lowercase
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}
```

#### Security Config Type: Static Map

If using security configuration type `InterceptUrlMap`, edit the `grails-app/conf/spring/resources.groovy` to include:
```groovy
import demo.PatchedInterceptUrlMapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedInterceptUrlMapFilterInvocationDefinition) {
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}
```

#### Security Config Type: Requestmap Instances

If using security configuration type `Requestmap`, edit the `grails-app/conf/spring/resources.groovy` to include:
```groovy
import demo.PatchedRequestmapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedRequestmapFilterInvocationDefinition) {
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}
```

## More Information

For additional information on this vulnerability, please see the
[Grails blog post](https://grails.org/blog/2022-11-22-ss-plugin-auth-cve.html).

Discussion and questions can be directed to this Grails Spring Security Core plugin
[issue on GitHub](https://github.com/grails/grails-spring-security-core/issues/844).
File Snapshot

 [4.0K]  /data/pocs/b005cd07fd56c78686766ea47f98de6094e46b61
├── [ 847]  PatchedAnnotationFilterInvocationDefinition.groovy
├── [ 862]  PatchedInterceptUrlMapFilterInvocationDefinition.groovy
├── [ 847]  PatchedRequestmapFilterInvocationDefinition.groovy
└── [5.5K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →