Headline
GHSA-w3w6-26f2-p474: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.
Specifically, an application is vulnerable if:
- The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value.
An application is not vulnerable if any of the following is true:
- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.
- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
- The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-22234
Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
High severity GitHub Reviewed Published Feb 20, 2024 to the GitHub Advisory Database • Updated Feb 21, 2024
Package
maven org.springframework.security:spring-security-core (Maven)
Affected versions
>= 6.1.0, < 6.1.7
>= 6.2.0, < 6.2.2
Patched versions
6.1.7
6.2.2
Description
Published to the GitHub Advisory Database
Feb 20, 2024
Last updated
Feb 21, 2024
Related news
Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.