fkie_cve-2024-38821
Vulnerability from fkie_nvd
Published
2024-10-28 07:15
Modified
2025-01-24 20:15
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
References
security@vmware.comhttps://spring.io/security/cve-2024-38821
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20250124-0006/
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\n\nFor this to impact an application, all of the following must be true:\n\n  *  It must be a WebFlux application\n  *  It must be using Spring\u0027s static resources support\n  *  It must have a non-permitAll authorization rule applied to the static resources support"
    },
    {
      "lang": "es",
      "value": "Las aplicaciones WebFlux de Spring que tienen reglas de autorizaci\u00f3n de Spring Security sobre recursos est\u00e1ticos pueden omitirse en determinadas circunstancias. Para que esto afecte a una aplicaci\u00f3n, deben cumplirse todas las condiciones siguientes: * Debe ser una aplicaci\u00f3n WebFlux * Debe utilizar el soporte de recursos est\u00e1ticos de Spring * Debe tener una regla de autorizaci\u00f3n que no sea permitAll aplicada al soporte de recursos est\u00e1ticos"
    }
  ],
  "id": "CVE-2024-38821",
  "lastModified": "2025-01-24T20:15:32.427",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security@vmware.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-28T07:15:07.633",
  "references": [
    {
      "source": "security@vmware.com",
      "url": "https://spring.io/security/cve-2024-38821"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20250124-0006/"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.