CVE-2024-38810

CWE-287 — Improper Authentication CWE-862 — Missing Authorization5 documents5 sources

Severity

7.5HIGH

EPSS

1.0%

top 23.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Security Vmware Spring Security

Timeline

PublishedAug 20

Description

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5spring/spring_security6.3.x — 6.3.2

▶NVDvmware/spring_security6.3.0 — 6.3.2

▶Mavenorg.springframework.security:spring-security-core6.3.0 — 6.3.2

🔴Vulnerability Details

CVEList

Missing Authorization When Using @AuthorizeReturnObject↗2024-08-20

▶

OSV

Spring Security Missing Authorization vulnerability↗2024-08-20

▶

GHSA

Spring Security Missing Authorization vulnerability↗2024-08-20

▶

📋Vendor Advisories

Red Hat

spring-security: Missing Authorization When Using @AuthorizeReturnObject↗2024-08-20

▶