Tag :
Cyber Security

About the Vulnerability

Introduction

Spring Security is a powerful and highly customizable framework for authentication and access control. It is the de facto standard for securing Spring-based applications.

Summary

On October 31, 2024, Sangfor FarSight Labs received notification that a Spring Security component contains information of Unauthorized Access Vulnerability (CVE-2024-38821), classified as critical in threat level.

In some cases, Spring WebFlux applications with Spring Security authorization rules for static resources can be bypassed. Unauthorized attackers can exploit this vulnerability to bypass permission controls, access static resources, leading to the leakage of sensitive information and loss of server control. Details of the exploitation of this vulnerability have been made public on the Internet.

Affected Versions

Spring Security ≤ 5.7.12

5.8.0 ≤ Spring Security ≤ 5.8.14

6.0.0 ≤ Spring Security ≤ 6.0.12

6.1.0 ≤ Spring Security ≤ 6.1.10

6.2.0 ≤ Spring Security ≤ 6.2.6

6.3.0 ≤ Spring Security ≤ 6.3.3

Solutions

Official Solution

Secure versions:

Spring Security 5.7.13(enterprise only)

Spring Security 5.8.15(enterprise only)

Spring Security 6.0.13(enterprise only)

Spring Security 6.1.11(enterprise only)

Spring Security 6.2.7

Spring Security 6.3.4

Solution:

The latest version has been officially released by Vmware for the vulnerability patching. Affected users are recommended to update the Spring Security to the latest version.

Download link:

https://github.com/spring-projects/spring-security/tags

Note: Some versions mentioned above are only supported by enterprise versions.

Sangfor Solutions

Risky Assets Detection

Support is provided for the proactive detection of Spring Security; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:

[Sangfor Host Security] has released a detection scheme with Fingerprint ID: 0007881.

Timeline

On October 31, 2024, Sangfor FarSight Labs received notification of Spring Security Unauthorized Access to Static Resources Vulnerability.

On October 31, 2024, Sangfor FarSight Labs released a vulnerability alert.

References

https://spring.io/security/cve-2024-38821

 

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

See Other Product

Meet the Author

sangfor building image

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail