GHSA-c4q5-6c82-3qpw

Suggest an improvement
Source
https://github.com/advisories/GHSA-c4q5-6c82-3qpw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-c4q5-6c82-3qpw/GHSA-c4q5-6c82-3qpw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c4q5-6c82-3qpw
Aliases
  • CVE-2024-38821
Related
Published
2024-10-28T09:30:53Z
Modified
2024-10-28T18:34:53.532864Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications
Details

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  • It must be a WebFlux application
  • It must be using Spring's static resources support
  • It must have a non-permitAll authorization rule applied to the static resources support
Database specific
{
    "nvd_published_at": "2024-10-28T07:15:07Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-770"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-28T15:19:32Z"
}
References

Affected packages

Maven / org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.7.13

Affected versions

3.*

3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.0.8.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.1.5.RELEASE
3.1.6.RELEASE
3.1.7.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE

4.*

4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.2.10.RELEASE
4.2.11.RELEASE
4.2.12.RELEASE
4.2.13.RELEASE
4.2.14.RELEASE
4.2.15.RELEASE
4.2.16.RELEASE
4.2.17.RELEASE
4.2.18.RELEASE
4.2.19.RELEASE
4.2.20.RELEASE

5.*

5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE
5.3.8.RELEASE
5.3.9.RELEASE
5.3.10.RELEASE
5.3.11.RELEASE
5.3.12.RELEASE
5.3.13.RELEASE
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
5.6.10
5.6.11
5.6.12
5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.9
5.7.10
5.7.11
5.7.12

Maven / org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
5.8.15

Affected versions

5.*

5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.8.10
5.8.11
5.8.12
5.8.13
5.8.14

Maven / org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.7

Affected versions

6.*

6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6

Maven / org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.13

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8

Maven / org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.11

Affected versions

6.*

6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9

Maven / org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.3.4

Affected versions

6.*

6.3.0
6.3.1
6.3.2
6.3.3