SCA: security update for org.springframework.security:spring-security-core (GHSA-w3w6-26f2-p474)

high Tenable Self-Hosted Container Security Plugin ID 419669

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is
vulnerable to broken access control when it directly uses the
AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is
vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication)
directly and a null authentication parameter is passed to it resulting in an erroneous true return value.
An application is not vulnerable if any of the following is true: * The application does not use
AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly. * The application does not pass
null to AuthenticationTrustResolver.isFullyAuthenticated * The application only uses isFullyAuthenticated
via Method Security https://docs.spring.io/spring-security/reference/servlet/authorization/method-
security.html or HTTP Request Security https://docs.spring.io/spring-
security/reference/servlet/authorization/authorize-http-requests.html (CVE-2024-22234)

Solution

Update the org.springframework.security:spring-security-core library and its related packages to version 6.1.7 or later.

See Also

https://github.com/advisories/GHSA-w3w6-26f2-p474

Plugin Details

Severity: High

ID: 419669

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.95

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-22234

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/20/2024

Vulnerability Publication Date: 2/20/2024

Reference Information

CVE: CVE-2024-22234

cwe: CWE-284