Spring Security 6.1.x<6.1.7/6.2.x<6.2.2: Broken Access via AuthenticationTrustResolver.isFullyAuthen
CVE-2024-22234 Published on February 20, 2024
CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.
Specifically, an application is vulnerable if:
* The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value.
An application is not vulnerable if any of the following is true:
* The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.
* The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
* The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
Vulnerability Analysis
CVE-2024-22234 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-22234 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2024-22234
Want to know whenever a new CVE is published for VMware Spring Security? stack.watch will email you.
Affected Versions
Spring Security:- Version 6.1.x and below 6.1.7 is affected.
- Version 6.2.x and below 6.2.2 is affected.
- Version 6.1.0 and below 6.1.7 is affected.
- Version 6.2.0 and below 6.2.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.