High severity8.2NVD Advisory· Published Mar 18, 2024· Updated Apr 15, 2026
CVE-2024-22257
CVE-2024-22257
Description
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | < 5.7.12 | 5.7.12 |
org.springframework.security:spring-security-coreMaven | >= 5.8.0, < 5.8.11 | 5.8.11 |
org.springframework.security:spring-security-coreMaven | >= 6.0.0, < 6.1.8 | 6.1.8 |
org.springframework.security:spring-security-coreMaven | >= 6.2.0, < 6.2.3 | 6.2.3 |
Patches
15a7f12f1a9fdCheck for null Authentication
2 files changed · +4 −1
core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java+1 −1 modified@@ -57,7 +57,7 @@ public class AuthenticatedVoter implements AccessDecisionVoter<Object> { private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); private boolean isFullyAuthenticated(Authentication authentication) { - return (!this.authenticationTrustResolver.isAnonymous(authentication) + return authentication != null && (!this.authenticationTrustResolver.isAnonymous(authentication) && !this.authenticationTrustResolver.isRememberMe(authentication)); }
core/src/test/java/org/springframework/security/access/vote/AuthenticatedVoterTests.java+3 −0 modified@@ -59,6 +59,7 @@ public void testAnonymousWorks() { assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createAnonymous(), null, def)); assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createRememberMe(), null, def)); assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createFullyAuthenticated(), null, def)); + assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def)); } @Test @@ -68,6 +69,7 @@ public void testFullyWorks() { assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(createAnonymous(), null, def)); assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(createRememberMe(), null, def)); assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createFullyAuthenticated(), null, def)); + assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def)); } @Test @@ -77,6 +79,7 @@ public void testRememberMeWorks() { assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(createAnonymous(), null, def)); assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createRememberMe(), null, def)); assertThat(AccessDecisionVoter.ACCESS_GRANTED).isEqualTo(voter.vote(createFullyAuthenticated(), null, def)); + assertThat(AccessDecisionVoter.ACCESS_DENIED).isEqualTo(voter.vote(null, null, def)); } @Test
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-f3jh-qvm4-mg39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22257ghsaADVISORY
- github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61ghsaWEB
- security.netapp.com/advisory/ntap-20240419-0005ghsaWEB
- spring.io/security/cve-2024-22257nvdWEB
- security.netapp.com/advisory/ntap-20240419-0005/nvd
News mentions
0No linked articles in our index yet.