CVE-2024-22257: Spring Security Flaw Opens Door to Broken Access Control Attacks
Spring Security, a widely used framework for securing Java-based applications, has a serious vulnerability that could allow attackers to bypass authentication and gain unauthorized access to sensitive systems. The vulnerability tracked as CVE-2024-22257, has been given a “High” severity rating.
What is Spring Security?
Spring Security is a powerful framework favored by developers for its ability to provide robust authentication and authorization mechanisms within Java applications. It’s a crucial component in safeguarding many web applications and services.
The Vulnerability Explained
The core issue within CVE-2024-22257 lies in the way Spring Security handles authentication checks when its AuthenticatedVoter component is used directly. If an application passes a null value to AuthenticatedVoter#vote, it can incorrectly grant access, exposing the system to potential attacks.
Why This Matters
Broken access control vulnerabilities are a prime target for attackers. Since access control systems are the gatekeepers of sensitive data and resources, breaches can lead to data theft, system compromise, and even the disruption of critical operations.
Who is at Risk?
Applications running on the following versions of Spring Security are vulnerable:
- 6.2.0 to 6.2.2
- 6.1.0 to 6.1.7
- 6.0.0 to 6.0.9
- 5.8.0 to 5.8.10
- 5.7.0 to 5.7.11
- Older, unsupported versions
Mitigation: What You Need to Do
The immediate fix recommended by Spring is to upgrade to the latest patched versions of the Spring Security framework:
- 5.7.12
- 5.8.11
- 6.0.10
- 6.1.8
- 6.2.3
While the patch addresses the immediate issue, the Spring team also advises that developers should stop directly using the AuthenticatedVoter component. This component is marked as deprecated, and applications relying on it for authentication checks are at increased risk. Consider migrating to newer authorization management mechanisms provided by Spring Security.
