Spring Security Advisories

Authorization Bypass of Static Resources in WebFlux Applications

CRITICAL | OCTOBER 22, 2024 | CVE-2024-38821

Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  • It must be a WebFlux application
  • It must be using Spring's static resources support
  • It must have a non-permitAll authorization rule applied to the static resources support

Affected Spring Products and Versions

This affects the following Spring Security versions:

  • 5.7.0 - 5.7.12
  • 5.8.0 - 5.8.14
  • 6.0.0 - 6.0.12
  • 6.1.0 - 6.1.10
  • 6.2.0 - 6.2.6
  • 6.3.0 - 6.3.3
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
5.7.x 5.7.13 Enterprise Support Only
5.8.x 5.8.15 Enterprise Support Only
6.0.x 6.0.13 Enterprise Support Only
6.1.x 6.1.11 Enterprise Support Only
6.2.x 6.2.7 OSS
6.3.x 6.3.4 OSS

Credit

The vulnerability was reported responsibly by tkswifty and [email protected]

References

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all