This page lists Spring advisories.
Authorization Bypass of Static Resources in WebFlux Applications
Description
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true:
- It must be a WebFlux application
- It must be using Spring's static resources support
- It must have a non-permitAll authorization rule applied to the static resources support …
CVE-2024-38819: Path traversal vulnerability in functional web frameworks (2nd report)
CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception
CVE-2024-38816: Path traversal vulnerability in functional web frameworks
CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader
CVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject
Description
Applications using @AuthorizeReturnObject
or the Spring Security produced AuthorizationAdvisorProxyFactory
@Bean
to wrap objects may not have all security advice applied.
When method security advice is not applied, it means that annotations like @PreFilter
and @PreAuthorize
may take no affect…
CVE-2024-38808: Spring Expression DoS Vulnerability
CVE-2024-38809: Spring Framework DoS via conditional HTTP request
CVE-2024-37084: Remote code execution in Spring Cloud Data Flow
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy