In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method.
Specifically, an application is vulnerable if:
An application is not vulnerable if any of the following is true:
Name | Vendor | Start Version | End Version |
---|---|---|---|
HawtIO 4.0.0 for Red Hat build of Apache Camel 4 | RedHat | spring-security | * |