Bug 2265172 (CVE-2024-22234)

Summary: CVE-2024-22234 spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, asatyam, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dfreiber, dhanak, diagrawa, dkreling, dosoudil, dpalmer, drichtar, drow, ecerquei, fjuma, fmariani, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jburrell, jmartisk, jpoth, jrokos, jscholz, kverlaen, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, owatkins, parichar, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rowaters, rruss, rstancel, rsvoboda, sabiswas, sausingh, sbiarozk, sdawley, smaestri, sthorger, swoodman, tasato, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-security 6.1.7, spring-security 6.2.2 Doc Type: ---
Doc Text:
A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and have a null authentication parameter passed to it, resulting in an erroneous true return value.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2265171    

Description Patrick Del Bello 2024-02-20 19:33:56 UTC 
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.

Specifically, an application is vulnerable if:

  *  The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

  *  The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.
  *  The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
  *  The application only uses isFullyAuthenticated via  Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html  or  HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

https://spring.io/security/cve-2024-22234
Comment 7 errata-xmlrpc 2024-06-03 11:53:39 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550