Improper Access Control Affecting org.springframework.security:spring-security-core package, versions [,5.7.12) [5.8.0,5.8.11) [6.0.0,6.0.10) [6.1.0,6.1.8) [6.2.0,6.2.3)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293
- published 18 Mar 2024
- disclosed 18 Mar 2024
- credit pwnull
Introduced: 18 Mar 2024
CVE-2024-22257 Open this link in a new tabHow to fix?
Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.
Overview
org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.
Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.
Note
Users are not affected if:
The application does not use
AuthenticatedVoter#votedirectly.The application does not pass
nulltoAuthenticatedVoter#vote.