CVE-2024-38821

Summary

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  • It must be a WebFlux application
  • It must be using Spring's static resources support
  • It must have a non-permitAll authorization rule applied to the static resources support

Affected Software

VendorProductVersion RangeStatus
SpringSpring5.7.x < 5.7.13affected
SpringSpring5.8.x < 5.8.15affected
SpringSpring6.0.x < 6.0.13affected
SpringSpring6.1.x < 6.1.11affected
SpringSpring6.2.x < 6.2.7affected
SpringSpring6.3.x < 6.3.4affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References