CVE-2024-22234 – This vulnerability in Spring Security allows br... (How to Fix)

Q: What is the severity of CVE-2024-22234?

CVE-2024-22234 has a CVSS score of 7.4 (HIGH). This vulnerability in Spring Security allows broken access control when applications directly use AuthenticationTrustResolver.isFullyAuthenticated() with a null authentication parameter, which incorrectly returns true. This affects applications using Spring Security 6.1.x before 6.1.7 and 6.2.x before 6.2.2 that directly call this method with null authentication.

📋 TL;DR

This vulnerability in Spring Security allows broken access control when applications directly use AuthenticationTrustResolver.isFullyAuthenticated() with a null authentication parameter, which incorrectly returns true. This affects applications using Spring Security 6.1.x before 6.1.7 and 6.2.x before 6.2.2 that directly call this method with null authentication.

💻 Affected Systems

Products:

Spring Security

Versions: 6.1.x prior to 6.1.7, 6.2.x prior to 6.2.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when applications directly call AuthenticationTrustResolver.isFullyAuthenticated(Authentication) with null parameter. Using Spring Security's method security or HTTP request security features is not vulnerable.

📦 What is this software?

Spring Security by Vmware

View all CVEs affecting Spring Security →

Spring Security by Vmware

View all CVEs affecting Spring Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication checks and gain unauthorized access to protected resources or administrative functions.

🟠

Likely Case

Unauthorized users could access resources intended only for fully authenticated users, leading to data exposure or privilege escalation.

🟢

If Mitigated

With proper null checks or indirect usage via Spring Security's method/HTTP security, the vulnerability is avoided entirely.

🌐 Internet-Facing: MEDIUM - Applications exposed to the internet are at risk if vulnerable code exists, but exploitation requires specific conditions.

🏢 Internal Only: MEDIUM - Internal applications are similarly vulnerable if they contain the specific vulnerable code pattern.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires finding applications that directly use the vulnerable method with null authentication parameters, which may require code analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.7 or 6.2.2

Vendor Advisory: https://spring.io/security/cve-2024-22234

Restart Required: Yes

Instructions:

1. Update Spring Security dependency to version 6.1.7 (for 6.1.x) or 6.2.2 (for 6.2.x). 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application server.

🔧 Temporary Workarounds

Add null check before method call

all

Manually check for null authentication before calling isFullyAuthenticated()

// Java code example: if (authentication != null && authenticationTrustResolver.isFullyAuthenticated(authentication)) { ... }

Use Spring Security abstractions

all

Replace direct method calls with Spring Security's method security annotations or HTTP security configuration

// Use @PreAuthorize("isFullyAuthenticated()") on methods
// Or configure in SecurityFilterChain with .fullyAuthenticated()

🧯 If You Can't Patch

Review all code for direct calls to AuthenticationTrustResolver.isFullyAuthenticated() and add null checks
Migrate authentication checks to use Spring Security's method security or HTTP request security features instead of direct method calls

🔍 How to Verify

Check if Vulnerable:

Search codebase for 'AuthenticationTrustResolver.isFullyAuthenticated' calls without null checks on the authentication parameter.

Check Version:

Check pom.xml for <version>org.springframework.security:spring-security-core</version> or build.gradle for implementation 'org.springframework.security:spring-security-core:VERSION'

Verify Fix Applied:

Check that Spring Security version is 6.1.7+ or 6.2.2+ in dependency files and verify null checks are implemented in code.

📡 Detection & Monitoring

Log Indicators:

Unexpected authentication successes for null or unauthenticated users
Access logs showing protected resource access without proper authentication

Network Indicators:

HTTP requests to protected endpoints without authentication tokens or cookies

SIEM Query:

Authentication logs where user is null or anonymous but access is granted to protected resources

📊 Metadata

CVE ID: CVE-2024-22234

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

Published: February 20, 2024

Last Updated: April 2, 2025

🔗 References

https://security.netapp.com/advisory/ntap-20240315-0003/ Third Party Advisory
https://spring.io/security/cve-2024-22234 Vendor Advisory
https://security.netapp.com/advisory/ntap-20240315-0003/ Third Party Advisory
https://spring.io/security/cve-2024-22234 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22234, you might also want to check these: