Spring Product Security Update Advisory (CVE-2024-38821)
Overview
An update has been released to address vulnerabilities in Spring Products. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-38821
- Spring WebFlux versions: 5.7.0 (inclusive) ~ 5.7.12 (inclusive)
- Spring WebFlux versions: 5.8.0 (inclusive) ~ 5.8.14 (inclusive)
- Spring WebFlux versions: 6.0.0 (inclusive) ~ 6.0.12 (inclusive)
- Spring WebFlux versions: 6.1.0 (inclusive) ~ 6.1.10 (inclusive)
- Spring WebFlux versions: 6.2.0 (inclusive) ~ 6.2.6 (inclusive)
- Spring WebFlux versions: 6.3.0 (inclusive) ~ 6.3.3 (inclusive)
* Unsupported or below versions are also affected.
Resolved Vulnerabilities
Vulnerability that could allow Spring Security authentication rules to be bypassed under certain conditions when a non-permitAll permission setting is applied to static resources in Spring WebFlux applications (CVE-2024-38821)
Vulnerability Patches
Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-38821
- Spring WebFlux version: 5.7.13
- Spring WebFlux version: 5.8.15
- Spring WebFlux version: 6.0.13
- Spring WebFlux version: 6.1.11
- Spring WebFlux version: 6.2.7
- Spring WebFlux version: 6.3.4
Referenced Sites
[1] CVE-2024-38821 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-38821
[2] Authorization Bypass of Static Resources in WebFlux Applications