Broken Access Control Vulnerability in Spring Security
CVE-2024-22234

7.4HIGH

Key Information:

Vendor

Spring

Status
Spring Security
Vendor
CVE Published:
20 February 2024

What is CVE-2024-22234?

In versions 6.1.x prior to 6.1.7 and 6.2.x prior to 6.2.2, Spring Security is affected by a vulnerability that arises from improper use of the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. When applications directly invoke this method with a null authentication parameter, it incorrectly returns a true value, creating a potential break in access control. Applications are safe if they do not use this method directly, ensure null is not passed, or rely solely on Method and HTTP Request Security. Organizations using affected versions should assess their implementation of Spring Security to verify risk exposure and implement necessary remediation measures.

Affected Version(s)

Spring Security 6.1.x < 6.1.7

Spring Security 6.2.x < 6.2.2

References

https://spring.io/security/cve-2024-22234
https://security.netapp.com/advisory/ntap-20240315-0003/

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-22234 : Broken Access Control Vulnerability in Spring Security