CVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject
Description
Applications using @AuthorizeReturnObject
or the Spring Security produced AuthorizationAdvisorProxyFactory
@Bean
to wrap objects may not have all security advice applied.
When method security advice is not applied, it means that annotations like @PreFilter
and @PreAuthorize
may take no affect…