Authorization Bypass of Static Resources in WebFlux Applications

CRITICAL | OCTOBER 22, 2024 | CVE-2024-38821

Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  • It must be a WebFlux application
  • It must be using Spring's static resources support
  • It must have a non-permitAll authorization rule applied to the static resources support

Affected Spring Products and Versions

Spring Security:

  • 6.3.0 - 6.3.3
  • 6.2.0 - 6.2.6
  • 6.1.0 - 6.1.10
  • 6.0.0 - 6.0.12
  • 5.8.0 - 5.8.14
  • 5.7.12 and earlier

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
6.3.4OSS
6.2.7OSS
6.1.11Enterprise Support Only
6.0.13Enterprise Support Only
5.8.15Enterprise Support Only
5.7.13Enterprise Support Only

No further mitigation steps are necessary.

Credit

The vulnerability was reported responsibly by tkswifty and [email protected]

History

  • 2024-10-22: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all