By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-22234

Authorization Bypass
Affects
Spring Security
<6.1.7, >=6.2.0 <6.2.2
in
Spring
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview 

Spring Security is a complete framework that provides authentication, authorization, and other security features for Java applications, particularly those built with the Spring Framework.

An Authentication Bypass vulnerability (CVE-2024-22234) has been identified in Spring Security's spring-security-web module, which allows attackers to bypass authentication mechanisms by taking advantage of improper handling of null authentication parameters.

Per OWASP: "Authentication bypass occurs when an attacker is able to gain access to a system without having valid credentials, often due to flaws in the authentication mechanism."

This issue affects versions 6.1.0 to 6.1.6 and 6.2.0 to 6.2.1 of Spring Security's spring-security-web module.

Details

Module Info

Vulnerability Info

CVE-2024-22234 is a high-severity vulnerability found in Spring Security's spring-security-web module versions 6.1.0 to 6.1.6 and 6.2.0 to 6.2.1. The issue arises when the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method is called with a null authentication parameter, leading to an incorrect true return value. This flaw allows attackers to bypass authentication checks, potentially granting unauthorized access to sensitive resources.

Credits

  • This vulnerability was reported by Rogério Sorroche.

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-22234
PROJECT Affected
Spring Security
Versions Affected
<6.1.7, >=6.2.0 <6.2.2
Published date
February 19, 2024
≈ Fix date
February 19, 2024
Fixed in
NES for Spring
Severity
High
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.