Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreIn Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote
passing a null
Authentication parameter.
Specifically, an application is vulnerable if:
AuthenticatedVoter
directly and a null
authentication parameter is passed to it resulting in an erroneous true
return value.An application is not vulnerable if any of the following is true:
AuthenticatedVoter#vote
directly.null
to AuthenticatedVoter#vote
.Note that AuthenticatedVoter
is deprecated since 5.8, use implementations of AuthorizationManager
as a replacement.
Spring Security
Affected version(s) | Fix version | Availability |
---|---|---|
5.7.x | 5.7.12 | OSS |
5.8.x | 5.8.11 | OSS |
6.0.x | 6.0.10 | Enterprise Support Only |
6.1.x | 6.1.8 | OSS |
6.2.x | 6.2.3 | OSS |
The issue was identified and responsibly reported by pwnull (https://github.com/pwnull).
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy