GHSA-c4q5-6c82-3qpw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c4q5-6c82-3qpw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-c4q5-6c82-3qpw/GHSA-c4q5-6c82-3qpw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-c4q5-6c82-3qpw
- Aliases
-
- CVE-2024-38821
- Related
- Published
- 2024-10-28T09:30:53Z
- Modified
- 2024-10-28T18:23:43.313205Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications
- Details
-
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true:
- It must be a WebFlux application
- It must be using Spring's static resources support
- It must have a non-permitAll authorization rule applied to the static resources support
- Database specific
{ "nvd_published_at": "2024-10-28T07:15:07Z", "cwe_ids": [ "CWE-285", "CWE-770" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-10-28T15:19:32Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-38821
- https://github.com/spring-projects/spring-security/commit/0e257b56ce35402558a260ffa6b368982f9a7934
- https://github.com/spring-projects/spring-security/commit/4ce7cde15599c0447163fd46bac616e03318bf5b
- https://github.com/spring-projects/spring-security
- https://spring.io/security/cve-2024-38821
Affected packages
Maven / org.springframework.security:spring-security-web
Package
- Name
- org.springframework.security:spring-security-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-web
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.7.13
Affected versions
3.*
3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.0.8.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.1.5.RELEASE
3.1.6.RELEASE
3.1.7.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
4.*
4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.2.10.RELEASE
4.2.11.RELEASE
4.2.12.RELEASE
4.2.13.RELEASE
4.2.14.RELEASE
4.2.15.RELEASE
4.2.16.RELEASE
4.2.17.RELEASE
4.2.18.RELEASE
4.2.19.RELEASE
4.2.20.RELEASE
5.*
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE
5.3.8.RELEASE
5.3.9.RELEASE
5.3.10.RELEASE
5.3.11.RELEASE
5.3.12.RELEASE
5.3.13.RELEASE
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
5.6.10
5.6.11
5.6.12
5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.9
5.7.10
5.7.11
5.7.12
Maven / org.springframework.security:spring-security-web
Package
- Name
- org.springframework.security:spring-security-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-web
Maven / org.springframework.security:spring-security-web
Package
- Name
- org.springframework.security:spring-security-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-web
Maven / org.springframework.security:spring-security-web
Package
- Name
- org.springframework.security:spring-security-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-web
Maven / org.springframework.security:spring-security-web
Package
- Name
- org.springframework.security:spring-security-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-web
Maven / org.springframework.security:spring-security-web
Package
- Name
- org.springframework.security:spring-security-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-web