Bypassing Authorization Rules in Spring WebFlux Applications

CVE-2024-38821
9.1CRITICAL

Key Information

Vendor
Spring
Status
Spring
Vendor
CVE Published:
28 October 2024

Badges

👾 Exploit Exists🔴 Public PoC📰 News Worthy

Summary

The vulnerability CVE-2024-38821 affects Spring WebFlux applications and can lead to the bypassing of authorization rules on static resources. It only impacts applications that are using Spring's static resources support and have a non-permitAll authorization rule applied to the static resources support. The vulnerability has been exploited and has a critical CVSS rating. The affected versions of Spring include 5.7.x, 5.8.x, 6.0.x, 6.1.x, and 6.2.x. Organizations are advised to update to the fixed versions to mitigate the risk. The impact of the vulnerability is disputed, with some vendors assessing it as a moderate risk while others consider it to be high. Despite the differing assessments, it is important for affected organizations to address this vulnerability in a timely manner.

Affected Version(s)

Spring <= 5.7.x

Spring < 5.7.13

Spring < 5.8.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit exists.

  • First article discovered by null

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)2 News Article(s)
.