CVE-2024-38821

Authorization Bypass
Affects
Spring Security
>=5.7.0 <5.7.13, >=5.8.0 <5.8.15, >=6.0.0 <6.0.13, >=6.1.0 <6.1.11, >=6.2.0 <6.2.7, >=6.3.0 <6.3.4
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications. It provides a range of security features that make it easier to secure enterprise applications.

Authorization bypass of webFlux application’s static resources (CVE-2024-38821) has been identified in Spring Security, which could allow access to unauthorized files.

This issue affects multiple versions of Spring Security.

Details

Module Info

  • Product: Spring Security
  • Affected packages: spring-security-web
  • Affected versions: >=5.7.0 <5.7.13, >=5.8.0 <5.8.15, >=6.0.0 <6.0.13, >=6.1.0 <6.1.11, >=6.2.0 <6.2.7, >=6.3.0 <6.3.4
  • GitHub repository: https://github.com/spring-projects/spring-security
  • Package manager: Maven
  • Fixed in: Spring NES v5.7.14, v5.8.16

Vulnerability Info

In certain cases, Spring WebFlux applications with Spring Security authorization rules on static resources may be vulnerable to authorization bypass.

For this issue to affect an application, all of the following conditions must be met:

  • The application must use WebFlux.
  • It must leverage Spring’s static resources support.
  • A non-permitAll authorization rule must be applied to the static resources.

Steps To Reproduce

Our team will update these steps as soon as more is known.

Credits

  • Tkswifty
  • d4y1ightl@gmail.com

Mitigation

Spring Security 5.8.x and 5.7.x are no longer community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Vulnerability Details
ID
CVE-2024-38821
PROJECT Affected
Spring Security
Versions Affected
>=5.7.0 <5.7.13, >=5.8.0 <5.8.15, >=6.0.0 <6.0.13, >=6.1.0 <6.1.11, >=6.2.0 <6.2.7, >=6.3.0 <6.3.4
Published date
October 25, 2024
≈ Fix date
October 29, 2024
Severity
Critical
Category
Authorization Bypass