VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@6.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-dwcq-d6nf-1ubn Aliases: CVE-2024-22257 GHSA-f3jh-qvm4-mg39	Erroneous authentication pass in Spring Security In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. Specifically, an application is vulnerable if: The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticatedVoter#vote directly. * The application does not pass null to AuthenticatedVoter#vote. Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.	6.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-u6vb-w2bu-ykfk Aliases: CVE-2024-38827 GHSA-q3v6-hm2v-pw99	Spring Framework has Authorization Bypass for Case Sensitive Comparisons The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.	6.2.8 Affected by 0 other vulnerabilities. 6.3.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dwcq-d6nf-1ubn
Aliases:
CVE-2024-22257
GHSA-f3jh-qvm4-mg39

Erroneous authentication pass in Spring Security In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. Specifically, an application is vulnerable if: The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticatedVoter#vote directly. * The application does not pass null to AuthenticatedVoter#vote. Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.

6.2.3
Affected by 1 other vulnerability.

VCID-u6vb-w2bu-ykfk
Aliases:
CVE-2024-38827
GHSA-q3v6-hm2v-pw99

Spring Framework has Authorization Bypass for Case Sensitive Comparisons The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

6.2.8
Affected by 0 other vulnerabilities.

6.3.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-42hz-39hx-myh7	Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html	CVE-2024-22234 GHSA-w3w6-26f2-p474

Vulnerability

Summary

Aliases

VCID-42hz-39hx-myh7

Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

CVE-2024-22234
GHSA-w3w6-26f2-p474

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:15:55.548227+00:00	GitLab Importer	Affected by	VCID-u6vb-w2bu-ykfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-38827.yml	38.4.0
2026-04-16T22:54:08.488247+00:00	GitLab Importer	Affected by	VCID-dwcq-d6nf-1ubn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22257.yml	38.4.0
2026-04-16T22:51:26.879802+00:00	GitLab Importer	Fixing	VCID-42hz-39hx-myh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22234.yml	38.4.0
2026-04-12T00:34:35.972591+00:00	GitLab Importer	Affected by	VCID-u6vb-w2bu-ykfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-38827.yml	38.3.0
2026-04-12T00:12:34.500944+00:00	GitLab Importer	Affected by	VCID-dwcq-d6nf-1ubn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22257.yml	38.3.0
2026-04-12T00:10:32.259256+00:00	GitLab Importer	Fixing	VCID-42hz-39hx-myh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22234.yml	38.3.0
2026-04-03T00:42:20.725286+00:00	GitLab Importer	Affected by	VCID-u6vb-w2bu-ykfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-38827.yml	38.1.0
2026-04-03T00:18:53.755968+00:00	GitLab Importer	Affected by	VCID-dwcq-d6nf-1ubn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22257.yml	38.1.0
2026-04-03T00:16:01.530282+00:00	GitLab Importer	Fixing	VCID-42hz-39hx-myh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22234.yml	38.1.0
2026-04-01T16:04:36.100909+00:00	GHSA Importer	Fixing	VCID-42hz-39hx-myh7	https://github.com/advisories/GHSA-w3w6-26f2-p474	38.0.0
2026-04-01T12:52:32.169026+00:00	GitLab Importer	Fixing	VCID-42hz-39hx-myh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22234.yml	38.0.0
2026-04-01T12:50:27.688436+00:00	GithubOSV Importer	Fixing	VCID-42hz-39hx-myh7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w3w6-26f2-p474/GHSA-w3w6-26f2-p474.json	38.0.0