Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-w3w6-26f2-p474: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.

Specifically, an application is vulnerable if:

  • The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

  • The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.
  • The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
  • The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
ghsa
#vulnerability#git#java#auth#maven

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-22234

Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

High severity GitHub Reviewed Published Feb 20, 2024 to the GitHub Advisory Database • Updated Feb 21, 2024

Package

maven org.springframework.security:spring-security-core (Maven)

Affected versions

>= 6.1.0, < 6.1.7

>= 6.2.0, < 6.2.2

Patched versions

6.1.7

6.2.2

Description

Published to the GitHub Advisory Database

Feb 20, 2024

Last updated

Feb 21, 2024

Related news

Red Hat Security Advisory 2024-3550-03

Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.