CVE-2024-22257

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.7.x prior to 5.7.12 Spring Security versions 5.8.x prior to 5.8.11 Spring Security versions 6.0.x prior to 6.0.9 Spring Security versions 6.1.x prior to 6.1.8 Spring Security versions 6.2.x prior to 6.2.3 Bitbucket Data Center and Server versions 8.0.0 through 8.19.0 Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0

Description The issue is related to broken access control in Spring Security when the AuthenticatedVoter#vote function is used directly with a null Authentication parameter. This could allow an unauthenticated attacker to expose assets in the environment that are susceptible to exploitation, with a high impact on confidentiality and low impact on integrity. Approximately 8,638 results have been found, mainly distributed in the United States and Canada.

Recommendations For Spring Security versions 5.7.x prior to 5.7.12, upgrade to version 5.7.12 or later. For Spring Security versions 5.8.x prior to 5.8.11, upgrade to version 5.8.11 or later. For Spring Security versions 6.0.x prior to 6.0.9, upgrade to version 6.0.9 or later. For Spring Security versions 6.1.x prior to 6.1.8, upgrade to version 6.1.8 or later. For Spring Security versions 6.2.x prior to 6.2.3, upgrade to version 6.2.3 or later. For Bitbucket Data Center and Server, upgrade to version 8.19.1 or later, or one of the specified supported fixed versions. For Bamboo Data Center and Server, upgrade to version 9.6.1 or later, or one of the specified supported fixed versions. As a temporary workaround, consider avoiding the direct use of AuthenticatedVoter#vote with a null Authentication parameter until a patch is available.