CVE-2024-22257: Broken Access Control vulnerability in spring-security-core (Maven)

What is CVE-2024-22257 About?

This vulnerability in Spring Security allows for broken access control when the `AuthenticatedVoter#vote` method is directly used with a `null` `Authentication` parameter. This leads to an erroneous `true` return value, granting unauthorized access. Exploitation is dependent on specific application code that directly interacts with the `AuthenticatedVoter` with a `null` argument.

Affected Software

org.springframework.security:spring-security-core
- <5.7.12
- >6.2.0, <6.2.3
- >5.8.0, <5.8.11
- >6.0.0, <6.1.8

Technical Details

The vulnerability exists in Spring Security's AuthenticatedVoter#vote method. This method is designed to determine if an authentication token is sufficiently authenticated to grant access to a secured resource. However, if an application directly invokes AuthenticatedVoter#vote and passes a null Authentication object as a parameter, the method incorrectly returns true (access granted) instead of indicating that the authentication is absent or insufficient. This bypasses intended access control checks, allowing an unauthenticated or unauthorized user to access resources that should be protected. The issue arises when developers bypass the standard Spring Security filter chain and directly interact with this specific voter with improper parameters.

What is the Impact of CVE-2024-22257?

Successful exploitation may allow attackers to bypass intended access control mechanisms, gaining unauthorized access to protected resources or functionalities within the application.

What is the Exploitability of CVE-2024-22257?

Exploitation of this vulnerability is of moderate to high complexity. It requires specific application code that directly calls AuthenticatedVoter#vote with a null Authentication parameter. There are no direct remote vectors to trigger this unless an attacker can manipulate application flow to lead to this specific code path. Authentication requirements depend on the context of the AuthenticatedVoter use; typically, it would allow an unauthenticated user to gain access. No particular privilege is required beyond being able to interact with the vulnerable application endpoint. This is generally a local vulnerability, requiring knowledge of the application's internal access control logic. Risk factors include custom security configurations that deviate from standard Spring Security practices and direct use of deprecated components like AuthenticatedVoter.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2024-22257?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

The patch adds a null check for the Authentication object in the isFullyAuthenticated method, preventing a NullPointerException. This change ensures that access is denied when authentication is null, which fixes CVE-2024-22257 by preventing unauthenticated users from being incorrectly granted access due to missing null validation.

Available Upgrade Options

org.springframework.security:spring-security-core
- <5.7.12 → Upgrade to 5.7.12
org.springframework.security:spring-security-core
- >5.8.0, <5.8.11 → Upgrade to 5.8.11
org.springframework.security:spring-security-core
- >6.0.0, <6.1.8 → Upgrade to 6.1.8
org.springframework.security:spring-security-core
- >6.2.0, <6.2.3 → Upgrade to 6.2.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-22257?

Similar Vulnerabilities: CVE-2023-46294 , CVE-2023-34035 , CVE-2023-20863 , CVE-2023-20861 , CVE-2022-22965

CVE-2024-22257 Broken Access Control vulnerability in spring-security-core (Maven)