#VU87607 Improper access control in Spring Security - CVE-2024-22257


Vulnerability identifier: #VU87607

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-22257

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Spring Security
Server applications / Frameworks for developing and running applications

Vendor: VMware, Inc

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions when the "AuthenticatedVoter#vote" passing a "null" Authentication parameter. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Spring Security: 5.7.0 - 5.7.11, 5.8.0 - 5.8.10, 6.0.0 - 6.0.9, 6.1.0 - 6.1.7, 6.2.0 - 6.2.2

External links
https://spring.io/security/cve-2024-22257

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM webMethods Managed File Transfer
Multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring (UOCAM)
Multiple vulnerabilities in Dell VxRail Appliance
Multiple vulnerabilities in Dell Storage Resource Manager (SRM) and Dell Storage Monitoring and Reporting (SMR)
Multiple vulnerabilities in Oracle SD-WAN Edge
Multiple vulnerabilities in IBM Cloud Pak for Network Automation
Multiple vulnerabilities in Dell Data Protection Central
Multiple vulnerabilities in IBM QRadar Suite Software
Multiple vulnerabilities in MySQL Enterprise Monitor
Multiple vulnerabilities in Oracle Insurance Policy Administration J2EE