Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/47267?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47267?format=api", "vulnerability_id": "VCID-p8md-ykt2-zyav", "summary": "Erroneous authentication pass in Spring Security\nIn Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.\n\nSpecifically, an application is vulnerable if:\n\nThe application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.\n\nAn application is not vulnerable if any of the following is true:\n\n* The application does not use AuthenticatedVoter#vote directly.\n* The application does not pass null to AuthenticatedVoter#vote.\n\nNote that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.", "aliases": [ { "alias": "CVE-2024-22257" }, { "alias": "GHSA-f3jh-qvm4-mg39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69437?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.7.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/69438?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.8.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/69439?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.1.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/69440?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.3" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66182?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bxsu-s2pg-8bbt" }, { "vulnerability": "VCID-gmgk-38nq-mkfb" }, { "vulnerability": "VCID-p8md-ykt2-zyav" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/66183?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bxsu-s2pg-8bbt" }, { "vulnerability": "VCID-gmgk-38nq-mkfb" }, { "vulnerability": "VCID-p8md-ykt2-zyav" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/69045?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-238s-fv2m-u3bp" }, { "vulnerability": "VCID-p8md-ykt2-zyav" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.0" } ], "references": [ { "reference_url": "https://github.com/spring-projects/spring-security", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/spring-projects/spring-security" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0005", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20240419-0005" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22257", "reference_id": "CVE-2024-22257", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22257" }, { "reference_url": "https://spring.io/security/cve-2024-22257", "reference_id": "CVE-2024-22257", "reference_type": "", "scores": [], "url": "https://spring.io/security/cve-2024-22257" }, { "reference_url": "https://github.com/advisories/GHSA-f3jh-qvm4-mg39", "reference_id": "GHSA-f3jh-qvm4-mg39", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3jh-qvm4-mg39" } ], "weaknesses": [ { "cwe_id": 287, "name": "Improper Authentication", "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct." }, { "cwe_id": 862, "name": "Missing Authorization", "description": "The product does not perform an authorization check when an actor attempts to access a resource or perform an action." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p8md-ykt2-zyav" }