Bypassing Authorization Rules in Spring WebFlux Applications
CVE-2024-38821

9.1CRITICAL

Key Information:

Vendor
Spring
Status
Spring
Vendor
CVE Published:
28 October 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2024-38821?

CVE-2024-38821 is a vulnerability affecting Spring WebFlux applications that implement Spring Security authorization rules for static resources. This vulnerability allows unauthorized users to bypass these security measures under specific conditions, posing a serious risk to organizations relying on WebFlux for their web applications. If exploited, this could result in unauthorized access to sensitive static resources, potentially compromising confidential data and contravening compliance requirements.

Technical Details

The CVE-2024-38821 vulnerability occurs in web applications utilizing the Spring WebFlux framework, specifically those configured to protect static resources with non-permitAll authorization rules. For this vulnerability to be applicable, three critical conditions must be met:

  1. The application must be built using Spring WebFlux.
  2. It must be set up to use Spring's static resources support.
  3. A non-permitAll authorization rule must be applied to these static resources.

Under these circumstances, attackers can exploit the vulnerability to gain access to static content that should otherwise be restricted based on security settings.

Potential impact of CVE-2024-38821

  1. Unauthorized Access to Sensitive Data: The vulnerability allows attackers to access static resources without proper authorization, potentially exposing sensitive data and compromising user privacy.

  2. Regulatory Compliance Risks: Organizations may face legal and regulatory challenges if unauthorized access leads to data breaches, thus violating data protection laws like GDPR or HIPAA.

  3. Reputation Damage: Exploitation of this vulnerability could lead to significant reputational harm for organizations, undermining customer trust and confidence in their ability to secure applications effectively.

Affected Version(s)

Spring 5.7.x

Spring 5.7.x < 5.7.13

Spring 5.8.x < 5.8.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2024-38821
Created by mouadk

News Articles

favicon imageTuxCare

CVE-2024-38821 Archives

Solutions Solutions Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime...

favicon imageTuxCare

CVE-2024-38821: Spring Security Patch Update & How TuxCare Users Are Protected

CVE-2024-38821: Stay secure with Spring Security's latest patch and TuxCare's support, ensuring protection for your Spring applications

favicon imageThe Register

Admins Spring into action over latest open source vuln

If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed. Tracked as...

References

https://spring.io/security/cve-2024-38821

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Register

  • Vulnerability published

  • Vulnerability Reserved

.