CVE-2024-22257: 
Jenkins vulnerability analysis and mitigation

CVE-2024-22257 is a broken access control vulnerability affecting Spring Security versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, 6.0.x prior to 6.0.9, 6.1.x prior to 6.1.8, and 6.2.x prior to 6.2.3. The vulnerability was discovered and reported by pwnull and disclosed in March 2024. The issue occurs when an application directly uses the AuthenticatedVoter#vote passing a null Authentication parameter (Spring Security).

The vulnerability stems from improper authorization control in the AuthenticatedVoter component. Specifically, when an application directly uses AuthenticatedVoter#vote and passes a null authentication parameter, it results in an erroneous true return value. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (VMware).

Successful exploitation of this vulnerability could lead to broken access control, potentially resulting in disclosure of sensitive information or unauthorized modification of data. The vulnerability affects applications that directly implement the AuthenticatedVoter component, potentially allowing attackers to bypass authentication mechanisms (NetApp Security).

Users of affected versions should upgrade to the corresponding fixed versions: 5.7.12 for 5.7.x, 5.8.11 for 5.8.x, 6.0.9 for 6.0.x, 6.1.8 for 6.1.x, and 6.2.3 for 6.2.x. It's worth noting that AuthenticatedVoter has been deprecated since version 5.8, and implementations of AuthorizationManager are recommended as a replacement (Spring Security).