Overview
Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.
In affected versions of Spring Security, directly using the AuthenticatedVoter vote method with null authentication parameter can result in broken access control.
Per Common Attack Pattern Enumeration and Classification CAPEC-115: Authentication Bypass is when an attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
This issue affects multiple versions of Spring Security’s spring-security-core package.
Details
Module Info
- Product: Spring Security
- Affected packages: spring-security-core
- Affected versions: >=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3
- GitHub repository: https://github.com/spring-projects/spring-security
- Published packages: https://central.sonatype.com/artifact/org.springframework.security/spring-security-core
- Package manager: Maven
- Fixed In: NES for Spring Security v4.2.22, v5.7.13, and v5.8.15
Vulnerability Info
An application may be at risk if it directly uses the AuthenticatedVoter#vote method and passes a null value for the Authentication parameter. This results in an erroneous true return value, potentially bypassing access control checks.
Applications are not vulnerable if:
- They do not use AuthenticatedVoter#vote directly.
- They do not pass null to AuthenticatedVoter#vote.
Steps To Reproduce
A simple test directly using AuthenticatedVoter can show if spring security has the vulnerability. This test will fail on vulnerable versions of security and pass on fixed versions.
@Test
public void cve2024_22257() {
AuthenticatedVoter voter = new AuthenticatedVoter();
List<ConfigAttribute> def = SecurityConfig.createList(
AuthenticatedVoter.IS_AUTHENTICATED_ANONYMOUSLY);
assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def));
}
Credit
Mitigation
Spring Security 5 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Spring Security
Leverage a commercial support partner like HeroDevs for post-EOL security support.