Spring Security has disclosed a critical vulnerability impacting WebFlux applications, enables an authorization bypass under specific conditions. If exploited, this vulnerability could potentially allow unauthorized access to static resources, undermining application security.
The vulnerability tracked as CVE-2024-38821 with a CVSS score of 9.1, stems in Spring WebFlux applications that meet all the following conditions:
- The application is built using Spring WebFlux.
- It utilizes Spring’s support for static resources.
- It applies a non-permit All authorization rule on static resources.
Affected versions include Spring Security 5.7.x through 6.3.x. The updates are available across both Open-Source Software (OSS) and Enterprise Support channels for specific versions.
To resolve this issue, Spring recommends updating to the latest secured versions:
- For the 5.7.x series: Update to 5.7.13 (available through Enterprise Support).
- For the 5.8.x series: Update to 5.8.15 (Enterprise Support).
- For the 6.0.x series: Update to 6.0.13 (Enterprise Support).
- For the 6.1.x series: Update to 6.1.11 (Enterprise Support).
- For the 6.2.x series: Update to 6.2.7 (OSS).
- For the 6.3.x series: Update to 6.3.4 (OSS).
Organizations urged to prioritize this update to protect against potential exploitation. Keeping software components current, particularly those that manage authorization, is critical to preventing unauthorized access.
