Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-22257

Опубликовано: 18 мар. 2024
Источник: redhat
CVSS3: 9.8
EPSS Низкий

Описание

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVoter#vote passing a NULL authentication parameter.

Отчет

The AuthenticatedVoter class was deprecated since Spring Security 5.8 is used in favor of the AuthorizationManager class, which is not vulnerable to this issue.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2spring-securityNot affected
OpenShift Developer Tools and ServicesjenkinsWill not fix
Red Hat build of Apache Camel for Spring Boot 3spring-securityAffected
Red Hat build of Apache Camel for Spring Boot 4spring-securityAffected
Red Hat build of Apache Camel - HawtIO 4spring-securityWill not fix
Red Hat Build of Keycloakspring-securityNot affected
Red Hat Data Grid 8spring-securityNot affected
Red Hat Fuse 7spring-securityAffected
Red Hat Integration Camel K 1spring-securityNot affected
Red Hat JBoss Data Grid 7spring-securityNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=2270158spring-security: Broken Access Control With Direct Use of AuthenticatedVoter

EPSS

Процентиль: 49%
0.00264
Низкий

9.8 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-22257

CVSS3: 8.2
nvd
почти 2 года назад

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

debian логотип

CVE-2024-22257

CVSS3: 8.2
debian
почти 2 года назад

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5. ...

github логотип

GHSA-f3jh-qvm4-mg39

CVSS3: 8.2
github
почти 2 года назад

Erroneous authentication pass in Spring Security

fstec логотип

BDU:2024-02143

CVSS3: 8.2
fstec
почти 2 года назад

Уязвимость класса AuthenticatedVoter Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 49%
0.00264
Низкий

9.8 Critical

CVSS3