Bypassing Authorization Rules in Spring WebFlux Applications
Key Information
- Vendor
- Spring
- Status
- Spring
- Vendor
- CVE Published:
- 28 October 2024
Badges
Summary
The vulnerability CVE-2024-38821 affects Spring WebFlux applications and can lead to the bypassing of authorization rules on static resources. It only impacts applications that are using Spring's static resources support and have a non-permitAll authorization rule applied to the static resources support. The vulnerability has been exploited and has a critical CVSS rating. The affected versions of Spring include 5.7.x, 5.8.x, 6.0.x, 6.1.x, and 6.2.x. Organizations are advised to update to the fixed versions to mitigate the risk. The impact of the vulnerability is disputed, with some vendors assessing it as a moderate risk while others consider it to be high. Despite the differing assessments, it is important for affected organizations to address this vulnerability in a timely manner.
Affected Version(s)
Spring <= 5.7.x
Spring < 5.7.13
Spring < 5.8.15
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Admins Spring into action over latest open source vuln
If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed. Tracked as...
1 week ago
Admins Spring into action over latest open source vuln
If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed. Tracked as...
1 week ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by null
Vulnerability published.
Vulnerability Reserved.