{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22234", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-01-08T16:40:16.141Z", "datePublished": "2024-02-20T07:02:50.873Z", "dateUpdated": "2024-08-01T22:43:33.656Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Spring Security", "vendor": "Spring", "versions": [{"lessThan": "6.1.7", "status": "affected", "version": "6.1.x", "versionType": "6.1.7"}, {"lessThan": "6.2.2", "status": "affected", "version": "6.2.x", "versionType": "6.2.2"}]}], "datePublic": "2024-02-19T08:59:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the <code>AuthenticationTrustResolver.isFullyAuthenticated(Authentication)</code>&nbsp;method.</p><p>Specifically, an application is vulnerable if:</p><ul><li>The application uses <code>AuthenticationTrustResolver.isFullyAuthenticated(Authentication)</code>&nbsp;directly and a <code>null</code>&nbsp;authentication parameter is passed to it resulting in an erroneous <code>true</code>&nbsp;return value.</li></ul><p>An application is not vulnerable if any of the following is true:</p><ul><li>The application does not use <code>AuthenticationTrustResolver.isFullyAuthenticated(Authentication)</code>&nbsp;directly.</li><li>The application does not pass <code>null</code>&nbsp;to <code>AuthenticationTrustResolver.isFullyAuthenticated</code></li><li>The application only uses <code>isFullyAuthenticated</code>&nbsp;via <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html\">Method Security</a>&nbsp;or <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html\">HTTP Request Security</a></li></ul><br>"}], "value": "In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0method.\n\nSpecifically, an application is vulnerable if:\n\n * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly and a null\u00a0authentication parameter is passed to it resulting in an erroneous true\u00a0return value.\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly.\n * The application does not pass null\u00a0to AuthenticationTrustResolver.isFullyAuthenticated\n * The application only uses isFullyAuthenticated\u00a0via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html \u00a0or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html \n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-02-20T07:02:50.873Z"}, "references": [{"url": "https://spring.io/security/cve-2024-22234"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0003/"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "affected": [{"vendor": "vmware", "product": "spring_security", "cpes": ["cpe:2.3:a:vmware:spring_security:6.1.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "6.1.0", "status": "affected", "lessThan": "6.1.7", "versionType": "custom"}]}, {"vendor": "vmware", "product": "spring_security", "cpes": ["cpe:2.3:a:vmware:spring_security:6.2.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "6.2.0", "status": "affected", "lessThan": "6.2.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-21T19:46:52.509563Z", "id": "CVE-2024-22234", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T17:21:05.285Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:33.656Z"}, "title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2024-22234", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0003/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2024-22234", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0003/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:33.656Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22234", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-21T19:46:52.509563Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vmware:spring_security:6.1.0:*:*:*:*:*:*:*"], "vendor": "vmware", "product": "spring_security", "versions": [{"status": "affected", "version": "6.1.0", "lessThan": "6.1.7", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:vmware:spring_security:6.2.0:*:*:*:*:*:*:*"], "vendor": "vmware", "product": "spring_security", "versions": [{"status": "affected", "version": "6.2.0", "lessThan": "6.2.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T17:20:13.341Z"}}], "cna": {"title": "CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "6.1.x", "lessThan": "6.1.7", "versionType": "6.1.7"}, {"status": "affected", "version": "6.2.x", "lessThan": "6.2.2", "versionType": "6.2.2"}], "defaultStatus": "unaffected"}], "datePublic": "2024-02-19T08:59:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-22234"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0003/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0method.\n\nSpecifically, an application is vulnerable if:\n\n * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly and a null\u00a0authentication parameter is passed to it resulting in an erroneous true\u00a0return value.\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly.\n * The application does not pass null\u00a0to AuthenticationTrustResolver.isFullyAuthenticated\n * The application only uses isFullyAuthenticated\u00a0via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html \u00a0or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html \n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the <code>AuthenticationTrustResolver.isFullyAuthenticated(Authentication)</code>&nbsp;method.</p><p>Specifically, an application is vulnerable if:</p><ul><li>The application uses <code>AuthenticationTrustResolver.isFullyAuthenticated(Authentication)</code>&nbsp;directly and a <code>null</code>&nbsp;authentication parameter is passed to it resulting in an erroneous <code>true</code>&nbsp;return value.</li></ul><p>An application is not vulnerable if any of the following is true:</p><ul><li>The application does not use <code>AuthenticationTrustResolver.isFullyAuthenticated(Authentication)</code>&nbsp;directly.</li><li>The application does not pass <code>null</code>&nbsp;to <code>AuthenticationTrustResolver.isFullyAuthenticated</code></li><li>The application only uses <code>isFullyAuthenticated</code>&nbsp;via <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html\">Method Security</a>&nbsp;or <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html\">HTTP Request Security</a></li></ul><br>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-02-20T07:02:50.873Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22234", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:43:33.656Z", "dateReserved": "2024-01-08T16:40:16.141Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-02-20T07:02:50.873Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0method.\n\nSpecifically, an application is vulnerable if:\n\n * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly and a null\u00a0authentication parameter is passed to it resulting in an erroneous true\u00a0return value.\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly.\n * The application does not pass null\u00a0to AuthenticationTrustResolver.isFullyAuthenticated\n * The application only uses isFullyAuthenticated\u00a0via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html \u00a0or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html \n\n\n\n"}, {"lang": "es", "value": "En Spring Security, versiones 6.1.x anteriores a 6.1.7 y versiones 6.2.x anteriores a 6.2.2, una aplicaci\u00f3n es vulnerable a un control de acceso roto cuando utiliza directamente el m\u00e9todo AuthenticationTrustResolver.isFullyAuthenticated(Authentication). Espec\u00edficamente, una aplicaci\u00f3n es vulnerable si: * La aplicaci\u00f3n usa AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directamente y se le pasa un par\u00e1metro de autenticaci\u00f3n nulo, lo que genera un valor de retorno verdadero err\u00f3neo. Una aplicaci\u00f3n no es vulnerable si se cumple alguna de las siguientes condiciones: * La aplicaci\u00f3n no utiliza AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directamente. * La aplicaci\u00f3n no pasa nulo a AuthenticationTrustResolver.isFullyAuthenticated * La aplicaci\u00f3n solo usa isFullyAuthenticated a trav\u00e9s de Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html o HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html"}], "id": "CVE-2024-22234", "lastModified": "2024-08-01T13:46:53.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-02-20T07:15:09.967", "references": [{"source": "security@vmware.com", "url": "https://security.netapp.com/advisory/ntap-20240315-0003/"}, {"source": "security@vmware.com", "url": "https://spring.io/security/cve-2024-22234"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3550", "cpe": "cpe:/a:redhat:rhboac_hawtio:4.0.0", "package": "spring-security", "product_name": "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/pluginregistry-rhel8:3.16-16", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}], "bugzilla": {"description": "spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated", "id": "2265172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265172"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-284", "details": ["In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0method.\nSpecifically, an application is vulnerable if:\n* The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly and a null\u00a0authentication parameter is passed to it resulting in an erroneous true\u00a0return value.\nAn application is not vulnerable if any of the following is true:\n* The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly.\n* The application does not pass null\u00a0to AuthenticationTrustResolver.isFullyAuthenticated\n* The application only uses isFullyAuthenticated\u00a0via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html \u00a0or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html", "A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and have a null authentication parameter passed to it, resulting in an erroneous true return value."], "mitigation": {"lang": "en:us", "value": "Make sure the application is not vulnerable according to the description bullet points mentioned in this page."}, "name": "CVE-2024-22234", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "spring-security", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "io.quarkus/quarkus-spring-security", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "spring-security", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "spring-security", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "spring-security", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "spring-security", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "spring-security", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "spring-security", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "spring-security", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22234\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22234\nhttps://spring.io/security/cve-2024-22234"], "statement": "Red Hat considers this as a Moderate impact since it requires the malicious user to have knowledge of how a server implements the authentication resolver from Spring Security. A validation is also suggested to make sure there are no null parameters and no erroneous true is triggered from this method.\nAn application is not vulnerable if any of the following are true:\n- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly\n- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated\n- The application only uses isFullyAuthenticated via Method Security or HTTP Request Security", "threat_severity": "Moderate", "upstream_fix": "spring-security 6.1.7, spring-security 6.2.2"}