Severity
High
Analysis Summary
CVE-2024-22257 CVSS:8.2
VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. By sending a direct request, an attacker could exploit this vulnerability to bypass access restrictions.
CVE-2024-22258 CVSS:6.1
VMware Tanzu Spring Authorization Server could allow a remote attacker to bypass security restrictions. By sending a direct request, an attacker could exploit this vulnerability to perform PKCE Downgrade attack.
Impact
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-22257
- CVE-2024-22258
Affected Vendors
VMWare
Affected Products
- VMware Tanzu Spring Security 5.7.0
- VMware Tanzu Spring Security 5.8.0
- VMware Tanzu Spring Security 6.0.0
- VMware Tanzu Spring Security 6.1.0
- VMware Tanzu Spring Security 6.1.6
- VMware Tanzu Spring Security 6.2.0
- VMware Tanzu Spring Security 6.2.1
- VMware Tanzu Spring Security 6.2.2
- VMware Tanzu Spring Security 6.1.7
- VMware Tanzu Spring Security 6.0.9
- VMware Tanzu Spring Security 5.8.10
- VMware Tanzu Spring Security 5.7.11
- VMware Tanzu Spring Authorization Server 1.0.5
- VMware Tanzu Spring Authorization Server 1.1.5
- VMware Tanzu Spring Authorization Server 1.2.2
- VMware Tanzu Spring Authorization Server 1.0.0
- VMware Tanzu Spring Authorization Server 1.1.0
- VMware Tanzu Spring Authorization Server 1.2.0
Remediation
Refer to Spring Security Advisories for patch, upgrade or suggested workaround information.