Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
Description
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.
Specifically, an application is vulnerable if:
- The application uses
AuthenticationTrustResolver.isFullyAuthenticated(Authentication)directly and anullauthentication parameter is passed to it resulting in an erroneoustruereturn value.
An application is not vulnerable if any of the following is true:
- The application does not use
AuthenticationTrustResolver.isFullyAuthenticated(Authentication)directly. - The application does not pass
nulltoAuthenticationTrustResolver.isFullyAuthenticated - The application only uses
isFullyAuthenticatedvia Method Security or HTTP Request Security
Affected Spring Products and Versions
- Spring Security
- 6.1.0 to 6.1.6
- 6.2.0 to 6.2.1
Mitigation
Users of affected versions should apply the following mitigation. 6.1.x users should upgrade to 6.1.7. 6.2.x users should upgrade to 6.2.2. No other steps are necessary. Releases that have fixed this issue include:
- Spring Security
- 6.1.7
- 6.2.2
Credit
This issue was identified and responsibly reported by Rogério Sorroche (https://github.com/rogeriosorroche).
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all