Skip to content

Erroneous authentication pass in Spring Security

High severity GitHub Reviewed Published Mar 18, 2024 to the GitHub Advisory Database • Updated Apr 19, 2024

Package

maven org.springframework.security:spring-security-core (Maven)

Affected versions

< 5.7.12
>= 5.8.0, < 5.8.11
>= 6.0.0, < 6.1.8
>= 6.2.0, < 6.2.3

Patched versions

5.7.12
5.8.11
6.1.8
6.2.3

Description

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Specifically, an application is vulnerable if:

The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

  • The application does not use AuthenticatedVoter#vote directly.
  • The application does not pass null to AuthenticatedVoter#vote.

Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.

References

Published by the National Vulnerability Database Mar 18, 2024
Published to the GitHub Advisory Database Mar 18, 2024
Reviewed Mar 18, 2024
Last updated Apr 19, 2024

Severity

High
8.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Weaknesses

CVE ID

CVE-2024-22257

GHSA ID

GHSA-f3jh-qvm4-mg39

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.