CVE CyberSecurity Database News

CVE-2022-41923 - How Grails Spring Security Core Plugin Opens the Door to Privilege Escalation (and How to Fix It)

Poster -

If you're building web applications with the Grails framework and you're relying on the Grails Spring Security Core (GSSC) plugin for authentication and authorization, you need to know about CVE-2022-41923. This vulnerability lets attackers access sensitive endpoints using the permissions of less-privileged endpoints—a classic privilege escalation scenario.

Let’s break down what you need to know, how it works, who is affected, and what you can do right now (including sample code).

What is CVE-2022-41923?

In short, CVE-2022-41923 is a vulnerability in the Grails Spring Security Core plugin. The GSSC plugin is used to control what different users can access in a Grails application. Due to this issue, some endpoints (“targeted endpoints”) can accidentally grant access if the authorization rules for a different, easier-to-access endpoint (“donor endpoint”) are satisfied.

This means:  
Attackers can gain unauthorized access to sensitive areas of your app by sneaking in through less-secure doors.

Let’s look at a simple example

Suppose your Grails app uses interceptUrlMap or @Secured annotations to control access.

// Example Groovy security configuration
grails.plugin.springsecurity.interceptUrlMap = [
    [pattern: '/admin/**', access: ['ROLE_ADMIN']],
    [pattern: '/user/**', access: ['ROLE_USER']]
]

If your application is vulnerable, an attacker can craft requests that match the “donor endpoint” (/user/<b>) access rules but actually reach the “targeted endpoint” (/admin/</b>). This can happen because the calculation for which endpoint is being accessed is faulty; it uses the authorization from the wrong endpoint.

The attacker has a user account with the ROLE_USER role.

2. The target endpoint /admin/dashboard is protected by ROLE_ADMIN.
3. The “donor endpoint” /user/profile requires only ROLE_USER.
4. Due to the bug, a crafted request can trick the GSSC plugin into treating /admin/dashboard as if it were /user/profile for authorization.

Official References

- CVE-2022-41923 at NVD
- GitHub Advisory GHSA-wwh2-69r9-4h4q
- Grails Plugin Security Advisory

5.1.1 and up

If you’re on version 2.x, there is no official patch. Please see the workaround below.

The Workaround: Override the calculateUri Method

If you cannot update immediately, use the following workaround. You’ll override the vulnerable URI calculation logic by extending one of the GSSC internal classes, based on your security setup.

Identify security configuration:

Are you using annotations, an interceptUrlMap, or a RequestMap domain class to secure your endpoints?

Here’s a ready-to-use example for an app using interceptUrlMap

import grails.plugin.springsecurity.web.access.intercept.InterceptUrlMapFilterInvocationDefinition
import org.springframework.web.util.UrlPathHelper

class FixedInterceptUrlMapFilterInvocationDefinition extends InterceptUrlMapFilterInvocationDefinition {

    @Override
    protected String calculateUri(HttpServletRequest request) {
        // Use the default instance to get the actual request URI
        return UrlPathHelper.defaultInstance.getRequestUri(request)
    }
}

You’ll need to wire this new class in as the bean replacing the original one, for example in your resources.groovy or via Spring config.

> Important: This is a stop-gap only. In the newest GSSC plugin versions, the calculateUri method has been deprecated, and overriding it is no longer needed or supported.

Special Note for 2.x Users

If your app is on GSSC 2.x, this workaround is the only option, since there is no 2.x patch. Start planning a migration to a supported version ASAP.

Apps using GSSC 2.x: apply the workaround and make plans to upgrade.

- Test your endpoints: Make sure authorization checks are enforced as expected after you apply the fix.

- Plugin homepage and updates
- Grails Security documentation
- Grails Security GitHub advisories

In Closing

Privilege escalation flaws can blow a hole in your application’s security model. CVE-2022-41923 is easy to overlook if you don’t inspect your plugin versions regularly. Fixing it is straightforward: update to a patched plugin version, or use the code snippet above as an emergency workaround.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 07/10/2023 16:39:00 UTC