CVE-2024-38810

Name of the Vulnerable Software and Affected Versions Spring Security versions 6.3.0 through 6.3.1

Description The issue is related to missing authorization when using @AuthorizeReturnObject in Spring Security, allowing an attacker to render security annotations ineffective. This potentially allows unauthorized access to sensitive data within affected applications. According to available data, there are approximately 8,577 potentially affected applications, and over 1,200 results have been found on a specific search platform.

Recommendations For Spring Security versions 6.3.0 and 6.3.1, consider disabling the use of @AuthorizeReturnObject until a patch is available to prevent attackers from rendering security annotations ineffective. At the moment, there is no information about a newer version that contains a fix for this vulnerability.