SpringBoot CVE-2022-31692 Incorrect Authorization

CVE-2022-31692 has been reported against Spring Security in version 5.6.8, which is currently used by Spring Boot 2.6.13.

Could you possibly update the dependecy to 5.6.9 in Spring Boot 2.6.13?

https://avd.aquasec.com/nvd/2022/cve-2022-31692/

Comment From: jochenLekens

also reported against Spring Security in version 5.7.4, used by Spring Boot 2.7.5 (latest)

Comment From: wilkinsona

Thanks, but there's no need to open an issue for this. We always upgrade to the latest Spring Security maintenance releases before releasing Spring Boot. This month's 2.6.14 and 2.7.6 will be no different. In the meantime, if you believe you are vulnerable to CVE-2022-31692, you can override Spring Boot's dependency management.