X.509 authentication bypasses Spring Security account checks
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts).
Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-287 | CWE-287: Improper Authentication |
Type: CWE
Description: CWE-287: Improper Authentication
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Impacts
| CAPEC ID | Description |
|---|
| N/A | Accounts that are disabled, locked, expired, or have expired credentials can still authenticate when mutual TLS or certificate-based SOAP authentication is used via X509AuthenticationProvider. |
CAPEC ID: N/A
Description: Accounts that are disabled, locked, expired, or have expired credentials can still authenticate when mutual TLS or certificate-based SOAP authentication is used via X509AuthenticationProvider.