1. About the Vulnerability
| Vulnerability Name |
Spring Security Broken Access Control Vulnerability (CVE-2024-22234) |
|---|---|
| Release Date |
February 22, 2024 |
| Component Name |
Spring Security |
| Affected Versions |
6.1.0 ≤ Spring Security < 6.1.7 |
| Vulnerability Type |
Broken Access Control Vulnerability |
| Severity |
CVSS v3 Base Score: 7.4 (High) |
| Exploitability |
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: High Integrity Impact: High Availability Impact: None |
2. About CVE-2024-22234
2.1 About the Component
Spring Security is a powerful and highly customizable authentication and access control framework and the de-facto standard for securing Spring-based applications.
2.2 About the Vulnerability
On February 22, 2024, Sangfor FarSight Labs received notification of the broken access control vulnerability (CVE-2024-22234) in Spring Security, classified as high severity (CVSS Score 7.4) by VMware.
The vulnerability is caused by the incorrect setting of an authentication parameter in the authentication method.
Specifically, an application is vulnerable if:
- The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value.
An application is not vulnerable if any of the following is true:
- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.
- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
- The application only uses isFullyAuthenticated via Method Security or HTTP Request Security
Attackers can exploit the vulnerability to bypass authentication, leading to the leakage of sensitive information from the server, thereby increasing the risk of the server being compromised.
3. Affected Versions
6.1.0 ≤ Spring Security < 6.1.7
6.2.0 ≤ Spring Security < 6.2.2
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
The Spring team has released new versions of Spring Security, and affected users are strongly recommended to update to the new versions to fix the vulnerability. For more information, visit https://spring.io/projects/spring-security
5. Timeline
On February 22, 2024, Sangfor FarSight Labs received notification of the broken access control vulnerability (CVE-2024-22234) in Spring Security.
On February 22, 2024, Sangfor FarSight Labs released a vulnerability alert.
6. References
https://spring.io/security/cve-2024-22234
https://nvd.nist.gov/vuln/detail/CVE-2024-22234
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
