Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

GHSA-4644-hg35-55m9 · CVE-2011-2731

Published May 17, 2022 · Modified Dec 7, 2024

Description

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2011-2731
PACKAGE https://github.com/spring-projects/spring-security
WEB http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
WEB http://support.springsource.com/security/cve-2011-2731

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes