Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13M3c2LTI2ZjItcDQ3NM4AA5YR

Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.

Specifically, an application is vulnerable if:

An application is not vulnerable if any of the following is true:

Permalink: https://github.com/advisories/GHSA-w3w6-26f2-p474
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13M3c2LTI2ZjItcDQ3NM4AA5YR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 4 months ago


CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-w3w6-26f2-p474, CVE-2024-22234
References: Repository: https://github.com/spring-projects/spring-security
Blast Radius: 34.4

Affected Packages

maven:org.springframework.security:spring-security-core
Dependent packages: 1,940
Dependent repositories: 44,289
Downloads:
Affected Version Ranges: >= 6.2.0, < 6.2.2, >= 6.1.0, < 6.1.7
Fixed in: 6.2.2, 6.1.7
All affected versions: 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 5.6.12, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.7.12, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.8.9, 5.8.10, 5.8.11, 5.8.12, 5.8.13, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.7, 6.1.8, 6.1.9, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.3.0, 6.3.1