CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
First published: Tue Feb 20 2024(Updated: )
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework.security:spring-security-core | >=6.2.0<6.2.2 | 6.2.2 |
| maven/org.springframework.security:spring-security-core | >=6.1.0<6.1.7 | 6.1.7 |
| redhat/spring-security | <6.1.7 | 6.1.7 |
| redhat/spring-security | <6.2.2 | 6.2.2 |
| Spring Security | >=6.1.0<6.1.7 | |
| Spring Security | >=6.2.0<6.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2024-22234
- https://spring.io/security/cve-2024-22234
- https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569
- https://github.com/advisories/GHSA-w3w6-26f2-p474 (Advisory)
- https://security.netapp.com/advisory/ntap-20240315-0003/
- https://security.netapp.com/advisory/ntap-20240315-0003
- https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html
- https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
- https://access.redhat.com/errata/RHSA-2024:3550
- https://bugzilla.redhat.com/show_bug.cgi?id=2265172
Frequently Asked Questions
What is the severity of CVE-2024-22234?
CVE-2024-22234 has a high severity rating due to its potential for broken access control.
How do I fix CVE-2024-22234?
To mitigate CVE-2024-22234, upgrade Spring Security to version 6.1.7 or 6.2.2.
What versions are affected by CVE-2024-22234?
CVE-2024-22234 affects Spring Security versions 6.1.x prior to 6.1.7 and 6.2.x prior to 6.2.2.
What does CVE-2024-22234 exploit in Spring Security?
CVE-2024-22234 exploits broken access control when using the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.
Is there a workaround for CVE-2024-22234 until I can upgrade?
Currently, there are no documented workarounds for CVE-2024-22234, so updating to a remedial version is essential.
- agent/title
- agent/type
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/author
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/references
- agent/severity
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-w3w6-26f2-p474
- alias/CVE-2024-22234
- agent/software-canonical-lookup
- agent/description
- agent/event
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/nvd-api
- package-manager/maven
- package-manager/redhat
- vendor/vmware
- canonical/spring security
- version/spring security/6.1.0
- version/spring security/6.2.0