Overview
Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications. It provides a range of security features that make it easier to secure enterprise applications.
Authorization bypass of webFlux application’s static resources (CVE-2024-38821) has been identified in Spring Security, which could allow access to unauthorized files.
This issue affects multiple versions of Spring Security.
Details
Module Info
- Product: Spring Security
- Affected packages: spring-security-web
- Affected versions: >=5.7.0 <5.7.13, >=5.8.0 <5.8.15, >=6.0.0 <6.0.13, >=6.1.0 <6.1.11, >=6.2.0 <6.2.7, >=6.3.0 <6.3.4
- GitHub repository: https://github.com/spring-projects/spring-security
- Package manager: Maven
- Fixed in: Spring NES v5.7.14, v5.8.16
Vulnerability Info
In certain cases, Spring WebFlux applications with Spring Security authorization rules on static resources may be vulnerable to authorization bypass.
For this issue to affect an application, all of the following conditions must be met:
- The application must use WebFlux.
- It must leverage Spring’s static resources support.
- A non-permitAll authorization rule must be applied to the static resources.
Steps To Reproduce
Our team will update these steps as soon as more is known.
Credits
- Tkswifty
- d4y1ightl@gmail.com
Mitigation
Spring Security 5.8.x and 5.7.x are no longer community-supported. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Spring Security.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.