8.2

CVSS Score

Basic Information

CVE ID

CVE-2024-22257

GHSA ID

GHSA-f3jh-qvm4-mg39

EPSS Score

CWE

CWE-287

Published

3/18/2024

Updated

11/12/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-22257

CVE-2024-22257:
Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Specifically, an application is vulnerable if:

The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

The application does not use AuthenticatedVoter#vote directly.
The application does not pass null to AuthenticatedVoter#vote.

Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.

(GitHub Advisory)

8.2

CVSS Score

Basic Information

CVE ID

CVE-2024-22257

GHSA ID

GHSA-f3jh-qvm4-mg39

EPSS Score

CWE

CWE-287

Published

3/18/2024

Updated

11/12/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.security:spring-security-core	maven	< 5.7.12	5.7.12
org.springframework.security:spring-security-core	maven	>= 5.8.0, < 5.8.11	5.8.11
org.springframework.security:spring-security-core	maven	>= 6.0.0, < 6.1.8	6.1.8
org.springframework.security:spring-security-core	maven	>= 6.2.0, < 6.2.3	6.2.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs when AuthenticatedVoter.vote is called with a null Authentication parameter. The commit 5a7f12f1a9fdb4edaab6f61495f1d781a7273b61 addresses this by modifying the isFullyAuthenticated method, which is called by vote. The patch adds a null check for the authentication parameter in isFullyAuthenticated. Therefore, AuthenticatedVoter.vote is the public-facing vulnerable function as it's the one an application would call directly with the problematic null input, and AuthenticatedVoter.isFullyAuthenticated is the function that contained the specific logical flaw (missing null check) that led to the vulnerability. Both functions would appear in a runtime profile during the exploitation of this vulnerability. The changes in the test file AuthenticatedVoterTests.java further confirm that the vote method's behavior with a null Authentication was the scenario being fixed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Sprin* S**urity, v*rsions *.*.x prior to *.*.**, *.*.x prior to *.*.**, v*rsions *.*.x prior to *.*.*, v*rsions *.*.x prior to *.*.*, v*rsions *.*.x prior to *.*.*, *n *ppli**tion is possi*l* vuln*r**l* to *rok*n ****ss *ontrol w**n it *ir**tly us

Reasoning

T** vuln*r**ility o**urs w**n `*ut**nti**t**Vot*r.vot*` is **ll** wit* * null `*ut**nti**tion` p*r*m*t*r. T** *ommit `****************************************` ***r*ss*s t*is *y mo*i*yin* t** `is*ully*ut**nti**t**` m*t*o*, w*i** is **ll** *y `vot*`.

8.2

Basic Information

Concerned about an active attack path?

CVE-2024-22257: Erroneous authentication pass in Spring Security

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-22257:
Erroneous authentication pass in Spring Security

Vulnerability Intelligence
Miggo AI