CVE-2024-22234

CWE-284Improper Access Control6 documents6 sources
Severity
7.4HIGH
EPSS
1.7%
top 17.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Spring Spring SecurityVmware Spring Security
Timeline
PublishedFeb 20
Latest updateJul 15

Description

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

CVEListV5spring/spring_security6.1.x6.1.7+1
NVDvmware/spring_security6.1.06.1.7+1

🔴Vulnerability Details

3
CVEList
CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated2024-02-20
OSV
Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated2024-02-20
GHSA
Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated2024-02-20

📋Vendor Advisories

2
Oracle
Oracle Oracle Communications Risk Matrix: Install (Spring Security) — CVE-2024-222342024-07-15
Red Hat
spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated2024-02-20
CVE-2024-22234 (HIGH CVSS 7.4) | In Spring Security | cvebase.io