Bypassing Authorization Rules in Spring WebFlux Applications

CVE-2024-38821

9.1CRITICAL

Key Information:

Vendor
Spring
Status
Spring
Vendor
CVE Published:
28 October 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

Summary

The vulnerability CVE-2024-38821 affects Spring WebFlux applications and can lead to the bypassing of authorization rules on static resources. It only impacts applications that are using Spring's static resources support and have a non-permitAll authorization rule applied to the static resources support. The vulnerability has been exploited and has a critical CVSS rating. The affected versions of Spring include 5.7.x, 5.8.x, 6.0.x, 6.1.x, and 6.2.x. Organizations are advised to update to the fixed versions to mitigate the risk. The impact of the vulnerability is disputed, with some vendors assessing it as a moderate risk while others consider it to be high. Despite the differing assessments, it is important for affected organizations to address this vulnerability in a timely manner.

Affected Version(s)

Spring 5.7.x

Spring 5.7.x < 5.7.13

Spring 5.8.x < 5.8.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2024-38821
Created by mouadk

News Articles

favicon imageTuxCare

CVE-2024-38821 Archives

Solutions Solutions Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime...

2 months ago

favicon imageTuxCare

CVE-2024-38821: Spring Security Patch Update & How TuxCare Users Are Protected

CVE-2024-38821: Stay secure with Spring Security's latest patch and TuxCare's support, ensuring protection for your Spring applications

2 months ago

favicon imageThe Register

Admins Spring into action over latest open source vuln

If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed. Tracked as...

2 months ago

References

https://spring.io/security/cve-2024-38821

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Register

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)3 News Article(s)
.