Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
History

Tue, 29 Oct 2024 01:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 28 Oct 2024 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring webflux
Weaknesses CWE-770
CPEs cpe:2.3:a:spring:webflux:*:*:*:*:*:*:*:*
Vendors & Products Spring
Spring webflux
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 28 Oct 2024 07:15:00 +0000

Type Values Removed Values Added
Description Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
Title Authorization Bypass of Static Resources in WebFlux Applications
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-10-28T07:06:13.404Z

Updated: 2024-11-01T03:55:20.442Z

Reserved: 2024-06-19T22:32:06.583Z

Link: CVE-2024-38821

cve-icon Vulnrichment

Updated: 2024-10-28T12:37:58.707Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-28T07:15:07.633

Modified: 2024-10-28T13:58:09.230

Link: CVE-2024-38821

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-28T07:06:13Z

Links: CVE-2024-38821 - Bugzilla