By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-22257

Authorization Bypass

Affects

Spring Security

>=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

‍

In affected versions of Spring Security, directly using the AuthenticatedVoter vote method with null authentication parameter can result in broken access control.

‍

Per Common Attack Pattern Enumeration and Classification CAPEC-115: Authentication Bypass is when an attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

‍

This issue affects multiple versions of Spring Security’s spring-security-core package.

‍

Details

Module Info

Product: Spring Security
Affected packages: spring-security-core
Affected versions: >=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3
GitHub repository: https://github.com/spring-projects/spring-security

Published packages: https://central.sonatype.com/artifact/org.springframework.security/spring-security-core

Package manager: Maven
Fixed In: NES for Spring Security v4.2.22, v5.7.13, and v5.8.15

‍

Vulnerability Info

An application may be at risk if it directly uses the AuthenticatedVoter#vote method and passes a null value for the Authentication parameter. This results in an erroneous true return value, potentially bypassing access control checks.

‍

Applications are not vulnerable if:

They do not use AuthenticatedVoter#vote directly.
They do not pass null to AuthenticatedVoter#vote.

‍

Steps To Reproduce

A simple test directly using AuthenticatedVoter can show if spring security has the vulnerability. This test will fail on vulnerable versions of security and pass on fixed versions.

@Test
public void cve2024_22257() {
    AuthenticatedVoter voter = new AuthenticatedVoter();
    List<ConfigAttribute> def = SecurityConfig.createList(
    AuthenticatedVoter.IS_AUTHENTICATED_ANONYMOUSLY);
    assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def));
}

‍

Credit

pwnull

‍

Mitigation

Spring Security 5 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations: