Bug 2270158 (CVE-2024-22257) - CVE-2024-22257 spring-security: Broken Access Control With Direct Use of AuthenticatedVoter
Summary: CVE-2024-22257 spring-security: Broken Access Control With Direct Use of Auth...
Keywords:
Status: NEW
Alias: CVE-2024-22257
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2270161
TreeView+ depends on / blocked
 
Reported: 2024-03-18 17:47 UTC by Pedro Sampaio
Modified: 2024-04-30 23:00 UTC (History)
44 users (show)

Fixed In Version: spring-security-core 5.7.12, spring-security-core 5.8.11, spring-security-core 6.0.10, spring-security-core 6.1.8, spring-security-core 6.2.3
Doc Type: ---
Doc Text:
A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVoter#vote passing a NULL authentication parameter.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2024-03-18 17:47:45 UTC 
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, 
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to 
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

References:

https://spring.io/security/cve-2024-22257
Note You need to log in before you can comment on or make changes to this bug.