Описание
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if:
- The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true:
- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.
- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
- The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and have a null authentication parameter passed to it, resulting in an erroneous true return value.
Отчет
Red Hat considers this as a Moderate impact since it requires the malicious user to have knowledge of how a server implements the authentication resolver from Spring Security. A validation is also suggested to make sure there are no null parameters and no erroneous true is triggered from this method. An application is not vulnerable if any of the following are true:
- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly
- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated
- The application only uses isFullyAuthenticated via Method Security or HTTP Request Security
Меры по смягчению последствий
Make sure the application is not vulnerable according to the description bullet points mentioned in this page.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | spring-security | Not affected | ||
| OpenShift Developer Tools and Services | jenkins | Will not fix | ||
| Red Hat build of Apache Camel for Spring Boot 3 | spring-security | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | spring-security | Affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | spring-security | Not affected | ||
| Red Hat Build of Keycloak | spring-security | Not affected | ||
| Red Hat build of Quarkus | io.quarkus/quarkus-spring-security | Not affected | ||
| Red Hat Data Grid 8 | spring-security | Not affected | ||
| Red Hat Decision Manager 7 | spring-security | Out of support scope | ||
| Red Hat Enterprise Linux 8 | log4j:2/log4j | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/referen
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x p ...
Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
Уязвимость метода AuthenticationTrustResolver.isFullyAuthenticated(Authentication) Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю оказать влияние на целостность и конфиденциальность защищаемой информации
EPSS
7.4 High
CVSS3