Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-38827

Authorization Bypass
Affects
CVE-2024-38827z
<= 5.7.13 >= 5.8.0, <= 5.8.15 >= 6.0.0, <= 6.0.13 >= 6.1.0, <= 6.1.11 >= 6.2.0, <= 6.2.7 >= 6.3.0, <= 6.3.4
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

A similar vulnerability to (CVE-2024-38820) has been identified in Spring Security, which could potentially result in authorization rules not working properly.

This issue affects multiple versions of Spring Security.

Details

Module Info

  • Product: Spring Security
  • Affected packages: spring-security-cas, spring-security-config, spring-security-core, spring-security-crypto, spring-security-data, spring-security-ldap, spring-security-oauth2-client, spring-security-taglibs, spring-security-web
  • Affected versions: <= 5.7.13, >= 5.8.0, <= 5.8.15, >= 6.0.0, <= 6.0.13, >= 6.1.0, <= 6.1.11, >= 6.2.0, <= 6.2.7, >= 6.3.0, <= 6.3.4
  • GitHub repository: https://github.com/spring-projects/spring-security
  • Package manager: Maven
  • Fixed in: Spring NES v5.7.15, v5.8.17

Vulnerability Info

The methods String.toLowerCase() and String.toUpperCase() in Java perform case conversions based on locale-specific rules. These rules can vary significantly depending on the locale being used, potentially leading to unexpected behavior in string comparisons or transformations. For example, certain characters in the Turkish locale (e.g., 'i' and 'I') have distinct case-mapping rules that differ from the default behavior.

In the context of CVE-2024-38820, this behavior becomes a security concern if these methods are used in systems involving authorization logic. If a string representing a user's role, permission, or identifier is transformed using these methods, locale-specific exceptions could result in mismatches or improper validation. This can lead to authorization bypass or denial of legitimate access.

Steps To Reproduce

This issue affects multiple packages in spring-security for general reproduction see the related CVE-2024-38820.

Mitigation

Spring Security 5.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

Pink arrow
Pink arrow
CVE-2024-38807
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-38827
PROJECT Affected
CVE-2024-38827z
Versions Affected
<= 5.7.13 >= 5.8.0, <= 5.8.15 >= 6.0.0, <= 6.0.13 >= 6.1.0, <= 6.1.11 >= 6.2.0, <= 6.2.7 >= 6.3.0, <= 6.3.4
Published date
November 19, 2024
≈ Fix date
November 19, 2024
Fixed in
NES for Spring
Severity
Medium
Category
Authorization Bypass