GHSA-mf92-479x-3373
Incorrect Security Enforcement vulnerability in spring-security-web (Maven)

Incorrect Security Enforcement No known exploit

What is GHSA-mf92-479x-3373 About?

This vulnerability in Spring Security may lead to HTTP response headers not being written for servlet applications, potentially exposing sensitive information or weakening security configurations. Attackers could leverage this to bypass client-side security measures or extract data, and exploitation depends on the application's reliance on these headers and the ease of observing responses. The impact can range from information disclosure to reduced client-side protection.

Affected Software

  • org.springframework.security:spring-security-web
    • >=5.8.0, <=5.8.16
    • >=6.0.0, <=6.3.10
    • >=7.0.0, <7.0.4
    • >=6.4.0, <=6.4.13
    • <=5.7.14
    • >=6.5.0, <6.5.9

Technical Details

The vulnerability occurs in Spring Security when applications attempt to specify HTTP response headers for servlet applications. Due to an internal issue, these specified HTTP headers may not be correctly written to the outgoing response. This effectively nullifies the intended security controls or informational headers that the application developer meant to enforce. The technical mechanism involves a failure in the header writing pipeline within Spring Security, preventing the headers from being included in the final HTTP response sent to the client. An attacker could observe the lack of expected security headers, like Content-Security-Policy or X-Frame-Options, and potentially exploit their absence on the client-side.

What is the Impact of GHSA-mf92-479x-3373?

Successful exploitation may allow attackers to bypass client-side security mechanisms, facilitate cross-site scripting (XSS), clickjacking, or information disclosure, as critical HTTP security headers might not be enforced.

What is the Exploitability of GHSA-mf92-479x-3373?

Exploitation characteristics involve a remote attacker making requests to the application and observing the absence of expected HTTP response headers. No authentication or specific privileges are required. The complexity is low, as it primarily involves observation and the passive exploitation of missing security controls. The primary risk factor is the application's reliance on these headers for security, where their absence directly impacts client-side protection or information integrity.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-mf92-479x-3373?

Available Upgrade Options

  • org.springframework.security:spring-security-web
    • >=6.5.0, <6.5.9 → Upgrade to 6.5.9
  • org.springframework.security:spring-security-web
    • >=7.0.0, <7.0.4 → Upgrade to 7.0.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-mf92-479x-3373?

Similar Vulnerabilities: CVE-2016-1000027 , CVE-2021-44228 , CVE-2020-5412

All Rights reserved 2025
Privacy Policy