{ "threat_severity" : "Moderate", "public_date" : "2024-02-20T00:00:00Z", "bugzilla" : { "description" : "spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated", "id" : "2265172", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265172" }, "cvss3" : { "cvss3_base_score" : "7.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-284", "details" : [ "In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.\nSpecifically, an application is vulnerable if:\n* The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value.\nAn application is not vulnerable if any of the following is true:\n* The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly.\n* The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated\n* The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html  or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html", "A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and have a null authentication parameter passed to it, resulting in an erroneous true return value." ], "statement" : "Red Hat considers this as a Moderate impact since it requires the malicious user to have knowledge of how a server implements the authentication resolver from Spring Security. A validation is also suggested to make sure there are no null parameters and no erroneous true is triggered from this method.\nAn application is not vulnerable if any of the following are true:\n- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly\n- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated\n- The application only uses isFullyAuthenticated via Method Security or HTTP Request Security", "affected_release" : [ { "product_name" : "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", "release_date" : "2024-06-03T00:00:00Z", "advisory" : "RHSA-2024:3550", "cpe" : "cpe:/a:redhat:rhboac_hawtio:4.0.0", "package" : "spring-security" }, { "product_name" : "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4884", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/pluginregistry-rhel8:3.16-16" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "io.quarkus/quarkus-spring-security", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "io.quarkus/quarkus-spring-security", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "log4j:2/log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "spring-security", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-22234\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22234\nhttps://spring.io/security/cve-2024-22234" ], "name" : "CVE-2024-22234", "mitigation" : { "value" : "Make sure the application is not vulnerable according to the description bullet points mentioned in this page.", "lang" : "en:us" }, "csaw" : false }