CVE-2024-22257 - Open Redirect / Server-side Request Forgery (SSRF)
Severity: None2025-03-11
Abstract
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
The Oxygen products incorporate Spring Security as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback v4.1 and older | None | Oxygen Feedback 5.0 build 2024090417 |
Oxygen Content Fusion v7.1 and older | None | N/A |
Detail
CVE-2024-22257
Severity: High
CVSS Score: 8.2
The Spring Security third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22257 vulnerability description. However, Oxygen products do not use AuthenticatedVoter#vote. For that reason Oxygen products are not affected by this vulnerability.
Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Security was updated to a version which fixes this vulnerability.