CVE-2024-38821 (CVSS 9.1) Allows Authorization Bypass in Spring WebFlux Applications
In a recent security advisory, Spring Security disclosed CVE-2024-38821, a critical vulnerability impacting WebFlux applications, with a CVSS severity score of 9.1. The flaw enables an “authorization bypass of static resources in WebFlux applications” under specific conditions. If exploited, this vulnerability could potentially allow unauthorized access to static resources, undermining application security.
According to the advisory, the bypass occurs in Spring WebFlux applications that meet all of the following conditions:
- The application is built using Spring WebFlux.
- It utilizes Spring’s support for static resources.
- It applies a non-
permitAllauthorization rule on static resources.
Affected versions include Spring Security 5.7.x through 6.3.x, specifically versions:
- 5.7.0 – 5.7.12
- 5.8.0 – 5.8.14
- 6.0.0 – 6.0.12
- 6.1.0 – 6.1.10
- 6.2.0 – 6.2.6
- 6.3.0 – 6.3.3
Older, unsupported versions of Spring Security are also impacted. “Users of affected versions should upgrade to the corresponding fixed version,” advises the Spring Security team, noting that updates are available across both Open Source Software (OSS) and Enterprise Support channels for specific versions.
To resolve this issue, Spring recommends updating to the latest secured versions:
- For the 5.7.x series: Update to 5.7.13 (available through Enterprise Support).
- For the 5.8.x series: Update to 5.8.15 (Enterprise Support).
- For the 6.0.x series: Update to 6.0.13 (Enterprise Support).
- For the 6.1.x series: Update to 6.1.11 (Enterprise Support).
- For the 6.2.x series: Update to 6.2.7 (OSS).
- For the 6.3.x series: Update to 6.3.4 (OSS).
Organizations using affected versions of Spring Security are strongly urged to prioritize this update to protect against potential exploitation. Keeping software components current, particularly those that manage authorization, is critical to preventing unauthorized access.
