Summary: A critical vulnerability, CVE-2024-38821, has been disclosed by Spring Security, affecting WebFlux applications and enabling an authorization bypass of static resources. Organizations using affected versions are urged to upgrade to secure versions to prevent unauthorized access.
Threat Actor: Unknown | unknown
Victim: Spring Security Users | Spring Security Users
Key Point :
- CVE-2024-38821 has a CVSS severity score of 9.1, indicating high risk.
- The vulnerability affects Spring Security versions 5.7.x through 6.3.x, allowing unauthorized access under specific conditions.
- Spring recommends users upgrade to the latest secured versions to mitigate the risk.
- Older, unsupported versions of Spring Security are also impacted.
- Keeping software components updated is essential for preventing unauthorized access.
In a recent security advisory, Spring Security disclosed CVE-2024-38821, a critical vulnerability impacting WebFlux applications, with a CVSS severity score of 9.1. The flaw enables an βauthorization bypass of static resources in WebFlux applicationsβ under specific conditions. If exploited, this vulnerability could potentially allow unauthorized access to static resources, undermining application security.
According to the advisory, the bypass occurs in Spring WebFlux applications that meet all of the following conditions:
- The application is built using Spring WebFlux.
- It utilizes Springβs support for static resources.
- It applies a non-
permitAllauthorization rule on static resources.
Affected versions include Spring Security 5.7.x through 6.3.x, specifically versions:
- 5.7.0 β 5.7.12
- 5.8.0 β 5.8.14
- 6.0.0 β 6.0.12
- 6.1.0 β 6.1.10
- 6.2.0 β 6.2.6
- 6.3.0 β 6.3.3
Older, unsupported versions of Spring Security are also impacted. βUsers of affected versions should upgrade to the corresponding fixed version,β advises the Spring Security team, noting that updates are available across both Open Source Software (OSS) and Enterprise Support channels for specific versions.
To resolve this issue, Spring recommends updating to the latest secured versions:
- For the 5.7.x series: Update to 5.7.13 (available through Enterprise Support).
- For the 5.8.x series: Update to 5.8.15 (Enterprise Support).
- For the 6.0.x series: Update to 6.0.13 (Enterprise Support).
- For the 6.1.x series: Update to 6.1.11 (Enterprise Support).
- For the 6.2.x series: Update to 6.2.7 (OSS).
- For the 6.3.x series: Update to 6.3.4 (OSS).
Organizations using affected versions of Spring Security are strongly urged to prioritize this update to protect against potential exploitation. Keeping software components current, particularly those that manage authorization, is critical to preventing unauthorized access.