CVE-2024-38821 CRITICAL

CVE-2024-38821: Authorization Bypass of Static Resources in WebFlux Applications

Vendor Spring
Product Spring
Published October 28, 2024
Last update January 24, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

Key dates

02Disclosure timeline

October 28, 2024 CVE published
January 24, 2025 Record updated