VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-e8tz-73s8-myct

Essentials
Severities (16)
References (13)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-e8tz-73s8-myct
Aliases	CVE-2024-22257 GHSA-f3jh-qvm4-mg39
Summary	In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-287	Improper Authentication
CWE-862	Missing Authorization
CWE-284	Improper Access Control
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	9.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json
epss	0.00394	https://api.first.org/data/v1/epss?cve=CVE-2024-22257
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-f3jh-qvm4-mg39
cvssv3.1	8.2	https://github.com/spring-projects/spring-security
generic_textual	HIGH	https://github.com/spring-projects/spring-security
cvssv3.1	8.2	https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
generic_textual	HIGH	https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
cvssv3.1	8.2	https://nvd.nist.gov/vuln/detail/CVE-2024-22257
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-22257
cvssv3.1	8.2	https://security.netapp.com/advisory/ntap-20240419-0005
generic_textual	HIGH	https://security.netapp.com/advisory/ntap-20240419-0005
cvssv3.1	8.2	https://security.netapp.com/advisory/ntap-20240419-0005/
ssvc	Track	https://security.netapp.com/advisory/ntap-20240419-0005/
cvssv3.1	8.2	https://spring.io/security/cve-2024-22257
generic_textual	HIGH	https://spring.io/security/cve-2024-22257
ssvc	Track	https://spring.io/security/cve-2024-22257

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-22257
		https://github.com/spring-projects/spring-security
		https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
		https://security.netapp.com/advisory/ntap-20240419-0005
2270158		https://bugzilla.redhat.com/show_bug.cgi?id=2270158
cve-2024-22257		https://spring.io/security/cve-2024-22257
CVE-2024-22257		https://nvd.nist.gov/vuln/detail/CVE-2024-22257
GHSA-f3jh-qvm4-mg39		https://github.com/advisories/GHSA-f3jh-qvm4-mg39
ntap-20240419-0005		https://security.netapp.com/advisory/ntap-20240419-0005/
RHSA-2024:3354		https://access.redhat.com/errata/RHSA-2024:3354
RHSA-2024:3708		https://access.redhat.com/errata/RHSA-2024:3708
RHSA-2024:4884		https://access.redhat.com/errata/RHSA-2024:4884

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/spring-projects/spring-security

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-22257

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20240419-0005

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20240419-0005/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/ Found at https://security.netapp.com/advisory/ntap-20240419-0005/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://spring.io/security/cve-2024-22257

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/ Found at https://spring.io/security/cve-2024-22257

Exploit Prediction Scoring System (EPSS)

Percentile	0.60708
EPSS Score	0.00394
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:47:38.498722+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/22xxx/CVE-2024-22257.json	38.6.0