Rogério Sorroche

**Name of the Vulnerable Software and Affected Versions** Spring Security versions 6.1.x through 6.1.6 Spring Security versions 6.2.x through 6.2.1 **Description** The issue is related to broken access control in Spring Security when the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method is used directly. Specifically, an application is vulnerable if it uses this method directly and a null authentication parameter is passed, resulting in an erroneous true return value. This could allow a remote attacker to impact the integrity and confidentiality of protected information. **Recommendations** For Spring Security versions 6.1.x through 6.1.6, update to version 6.1.7 or later to resolve the issue. For Spring Security versions 6.2.x through 6.2.1, update to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider avoiding the direct use of the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method or ensure that a null authentication parameter is not passed to it. Alternatively, use the `isFullyAuthenticated` method via Method Security or HTTP Request Security to minimize the risk of exploitation.