HIGH · CVSS 8.2
CVE-2024-22257 — Spring Security authorization bypass
A broken-authorization bug in Spring Security's AuthenticatedVoter let unauthenticated requests pass through specific pre-authorization rules under JSR-250 annotations.
Affects
- Spring Security 5.7-5.8 / 6.0-6.2
What an attacker does
Applications using @RolesAllowed or @PermitAll in specific combinations with method-level security could have access-control bypassed by an unauthenticated request. The bug required a very specific configuration but affected some Spring Boot apps in the wild.
How to detect
`mvn dependency:tree | grep spring-security`.
How to fix
Upgrade Spring Security to 5.7.12 / 5.8.11 / 6.1.8 / 6.2.3+.
How Securie catches it
Securie's Java auth specialist audits Spring Security configurations.