-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability exists in the core annotation detection mechanism of the Spring Framework. The issue arises when the framework attempts to resolve annotations on methods within a class hierarchy that involves generic superclasses or interfaces with unbounded generic types. The methods org.springframework.core.annotation.AnnotatedMethod.isOverrideFor and org.springframework.core.annotation.AnnotationsScanner.hasSameGenericTypeParameters used ResolvableType.resolve(), which would return null when a generic type was not resolvable. This behavior would break the logic that detects overridden methods, causing the system to fail to find and apply annotations from the parent class or interface.
If an application uses Spring Security's @EnableMethodSecurity feature and has security annotations on methods in generic base classes or interfaces, this vulnerability can be exploited. An attacker could call a method that should be secured, but because the framework fails to see the security annotation, the authorization check is never performed, granting unauthorized access. The patch addresses this by replacing the call to ResolvableType.resolve() with ResolvableType.toClass(), which returns a non-null Class object (e.g., Object.class) for unresolved generics. This allows the override detection to function correctly and apply the necessary security annotations.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.springframework:spring-core | maven | >= 5.3.0, <= 5.3.44 | |
| org.springframework:spring-core | maven | >= 6.0.0, <= 6.1.22 | |
| org.springframework:spring-core | maven | >= 6.2.0, <= 6.2.10 | 6.2.11 |
Ongoing coverage of React2Shell