VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@6.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2b4h-659w-77ak Aliases: CVE-2024-38827 GHSA-q3v6-hm2v-pw99	The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.	6.2.8 Affected by 0 other vulnerabilities. 6.3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-e8tz-73s8-myct Aliases: CVE-2024-22257 GHSA-f3jh-qvm4-mg39	In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.	6.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-jkjh-vn29-b3db Aliases: CVE-2024-22234 GHSA-w3w6-26f2-p474	In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html	6.2.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2b4h-659w-77ak
Aliases:
CVE-2024-38827
GHSA-q3v6-hm2v-pw99

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

6.2.8
Affected by 0 other vulnerabilities.

6.3.5
Affected by 1 other vulnerability.

VCID-e8tz-73s8-myct
Aliases:
CVE-2024-22257
GHSA-f3jh-qvm4-mg39

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

6.2.3
Affected by 1 other vulnerability.

VCID-jkjh-vn29-b3db
Aliases:
CVE-2024-22234
GHSA-w3w6-26f2-p474

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html or HTTP Request Security https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

6.2.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:47:35.979667+00:00	GitLab Importer	Affected by	VCID-2b4h-659w-77ak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-38827.yml	38.6.0
2026-06-12T15:48:20.118702+00:00	GitLab Importer	Affected by	VCID-e8tz-73s8-myct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22257.yml	38.6.0
2026-06-12T15:48:08.650029+00:00	GitLab Importer	Affected by	VCID-jkjh-vn29-b3db	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-22234.yml	38.6.0
2026-06-11T20:34:14.147247+00:00	GHSA Importer	Affected by	VCID-e8tz-73s8-myct	https://github.com/advisories/GHSA-f3jh-qvm4-mg39	38.6.0
2026-06-11T20:33:55.717268+00:00	GHSA Importer	Affected by	VCID-jkjh-vn29-b3db	https://github.com/advisories/GHSA-w3w6-26f2-p474	38.6.0