About the Vulnerability
Introduction
Spring Security is a powerful and highly customizable framework for authentication and access control. It is the de facto standard for securing Spring-based applications.
Summary
On October 31, 2024, Sangfor FarSight Labs received notification that a Spring Security component contains information of Unauthorized Access Vulnerability (CVE-2024-38821), classified as critical in threat level.
In some cases, Spring WebFlux applications with Spring Security authorization rules for static resources can be bypassed. Unauthorized attackers can exploit this vulnerability to bypass permission controls, access static resources, leading to the leakage of sensitive information and loss of server control. Details of the exploitation of this vulnerability have been made public on the Internet.
Affected Versions
Spring Security ≤ 5.7.12
5.8.0 ≤ Spring Security ≤ 5.8.14
6.0.0 ≤ Spring Security ≤ 6.0.12
6.1.0 ≤ Spring Security ≤ 6.1.10
6.2.0 ≤ Spring Security ≤ 6.2.6
6.3.0 ≤ Spring Security ≤ 6.3.3
Solutions
Official Solution
Secure versions:
Spring Security 5.7.13(enterprise only)
Spring Security 5.8.15(enterprise only)
Spring Security 6.0.13(enterprise only)
Spring Security 6.1.11(enterprise only)
Spring Security 6.2.7
Spring Security 6.3.4
Solution:
The latest version has been officially released by Vmware for the vulnerability patching. Affected users are recommended to update the Spring Security to the latest version.
Download link:
https://github.com/spring-projects/spring-security/tags
Note: Some versions mentioned above are only supported by enterprise versions.
Sangfor Solutions
Risky Assets Detection
Support is provided for the proactive detection of Spring Security; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:
[Sangfor Host Security] has released a detection scheme with Fingerprint ID: 0007881.
Timeline
On October 31, 2024, Sangfor FarSight Labs received notification of Spring Security Unauthorized Access to Static Resources Vulnerability.
On October 31, 2024, Sangfor FarSight Labs released a vulnerability alert.