CVE-2024-22234

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-22234
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html  or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

7.4 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://security.netapp.com/advisory/ntap-20240315-0003/ Third Party Advisory
https://spring.io/security/cve-2024-22234 Vendor Advisory
https://security.netapp.com/advisory/ntap-20240315-0003/ Third Party Advisory
https://spring.io/security/cve-2024-22234 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
History

02 Apr 2025, 20:10

Type Values Removed Values Added
First Time Vmware
Vmware spring Security
CPE cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
References () https://security.netapp.com/advisory/ntap-20240315-0003/ - () https://security.netapp.com/advisory/ntap-20240315-0003/ - Third Party Advisory
References () https://spring.io/security/cve-2024-22234 - () https://spring.io/security/cve-2024-22234 - Vendor Advisory

13 Feb 2025, 18:16

Type Values Removed Values Added
Summary (en) In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html  or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html (en) In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html  or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
Information

Published : 2024-02-20 07:15

Updated : 2025-04-02 20:10

NVD link : CVE-2024-22234

Mitre link : CVE-2024-22234

CVE.ORG link : CVE-2024-22234

JSON object : View

Products Affected

vmware

  • spring_security
CWE
CWE-284

Improper Access Control