Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Security Advisories
CVE-2024-22257: Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter
Description
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Specifically, an application is vulnerable if:
- The application uses
AuthenticatedVoterdirectly and anullauthentication parameter is passed to it resulting in an erroneoustruereturn value.
An application is not vulnerable if any of the following is true:
- The application does not use
AuthenticatedVoter#votedirectly. - The application does not pass
nulltoAuthenticatedVoter#vote.
Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.
Affected Spring Products and Versions
Spring Security
- 6.2.0 to 6.2.2
- 6.1.0 to 6.1.7
- 6.0.0 to 6.0.9
- 5.8.0 to 5.8.10
- 5.7.0 to 5.7.11
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.7.x | 5.7.12 | OSS |
| 5.8.x | 5.8.11 | OSS |
| 6.0.x | 6.0.10 | Enterprise Support Only |
| 6.1.x | 6.1.8 | OSS |
| 6.2.x | 6.2.3 | OSS |
Credit
The issue was identified and responsibly reported by pwnull (https://github.com/pwnull).
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all