CVE-2024-22234

Name of the Vulnerable Software and Affected Versions Spring Security versions 6.1.x through 6.1.6 Spring Security versions 6.2.x through 6.2.1

Description The issue is related to broken access control in Spring Security when the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method is used directly. Specifically, an application is vulnerable if it uses this method directly and a null authentication parameter is passed, resulting in an erroneous true return value. This could allow a remote attacker to impact the integrity and confidentiality of protected information.

Recommendations For Spring Security versions 6.1.x through 6.1.6, update to version 6.1.7 or later to resolve the issue. For Spring Security versions 6.2.x through 6.2.1, update to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider avoiding the direct use of the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method or ensure that a null authentication parameter is not passed to it. Alternatively, use the isFullyAuthenticated method via Method Security or HTTP Request Security to minimize the risk of exploitation.