CVE-2024-22257

Authorization Bypass
Affects
Spring Security
>=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3
in
Spring
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

In affected versions of Spring Security, directly using the AuthenticatedVoter vote method with null authentication parameter can result in broken access control.

Per Common Attack Pattern Enumeration and Classification CAPEC-115: Authentication Bypass is when an attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

This issue affects multiple versions of Spring Security’s spring-security-core package.

Details

Module Info

  • Package manager: Maven
  • Fixed In: NES for Spring Security v4.2.22, v5.7.13, and v5.8.15

Vulnerability Info

An application may be at risk if it directly uses the AuthenticatedVoter#vote method and passes a null value for the Authentication parameter. This results in an erroneous true return value, potentially bypassing access control checks.

Applications are not vulnerable if:

  • They do not use AuthenticatedVoter#vote directly.
  • They do not pass null to AuthenticatedVoter#vote.

Steps To Reproduce

A simple test directly using AuthenticatedVoter can show if spring security has the vulnerability. This test will fail on vulnerable versions of security and pass on fixed versions.

@Test
public void cve2024_22257() {
    AuthenticatedVoter voter = new AuthenticatedVoter();
    List<ConfigAttribute> def = SecurityConfig.createList(
    AuthenticatedVoter.IS_AUTHENTICATED_ANONYMOUSLY);
    assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def));
}

Credit

Mitigation

Spring Security 5 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2024-22257
PROJECT Affected
Spring Security
Versions Affected
>=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3
Published date
May 8, 2025
≈ Fix date
November 21, 2024
Severity
High
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.