exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Spring Security RunAsManager Privilege Escalation

Spring Security RunAsManager Privilege Escalation
Posted Sep 9, 2011
Authored by SpringSource Security Team, Rob Winch

Spring Security provides a mechanism (RunAsManager) to allow particular operations to run with a different set of privileges than the predefined user. The implementation contains a race condition whereby the escalated privileges could also be used in a different invocation in another thread. Versions 2.0.0 to 2.0.6 and 3.0.0 to 3.0.5 are affected.

tags | advisory
advisories | CVE-2011-2731
SHA-256 | 47b96c9de342642c2cd4e172c544b89e012a3797e75972454bb8c77cb5091e42

Spring Security RunAsManager Privilege Escalation

Change Mirror Download
CVE-2011-2731: Spring Security privilege escalation when using RunAsManager

Severity: Moderate

Versions Affected:
2.0.0 to 2.0.6
3.0.0 to 3.0.5
Earlier versions may also be affected

Description:
Spring Security provides a mechanism (RunAsManager) to allow particular operations to run with a different set of privileges than the predefined user. The implementation contains a race condition whereby the escalated privileges could also be used in a different invocation in another thread.

Example:
If the RunAsManager returns an Authentication object for the current invocation, the security interceptor will temporarily store this in the security context for the duration of the invocation. This authentication object would be shared with other concurrently executing threads, leading to a possible escalation of privileges in those threads.

Mitigation:
If you are not using a RunAsManager implementation, then you are not affected by this issue.
All users may mitigate this issue by upgrading to 3.0.6
Users of 2.0.x may upgrade to 2.0.7

Fix:
This issue was fixed by ensuring that the a new thread-local security context is created during run-as replacement and the temporary authentication token copied to it.

Credit:
The issue was discovered by Rob Winch.

History:
2011-09-09: Original advisory

References:
[1] https://www.springsource.com/security/cve-2011-2731
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close