{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-22234", "ASSIGNER": "security@vmware.com", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0method.\n\nSpecifically, an application is vulnerable if:\n\n * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly and a null\u00a0authentication parameter is passed to it resulting in an erroneous true\u00a0return value.\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication)\u00a0directly.\n * The application does not pass null\u00a0to AuthenticationTrustResolver.isFullyAuthenticated\n * The application only uses isFullyAuthenticated\u00a0via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html \u00a0or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html \n\n\n\n" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Spring", "product": { "product_data": [ { "product_name": "Spring Security", "version": { "version_data": [ { "version_affected": "<", "version_name": "6.1.x", "version_value": "6.1.7" }, { "version_affected": "<", "version_name": "6.2.x", "version_value": "6.2.2" } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://spring.io/security/cve-2024-22234", "refsource": "MISC", "name": "https://spring.io/security/cve-2024-22234" }, { "url": "https://security.netapp.com/advisory/ntap-20240315-0003/", "refsource": "MISC", "name": "https://security.netapp.com/advisory/ntap-20240315-0003/" } ] }, "generator": { "engine": "Vulnogram 0.1.0-dev" }, "source": { "discovery": "UNKNOWN" }, "impact": { "cvss": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" } ] } }