About the Vulnerability

Introduction

Spring Security is a powerful and highly customizable framework for authentication and access control. It is the de facto standard for securing Spring-based applications.

Summary

On October 31, 2024, Sangfor FarSight Labs received notification that a Spring Security component contains information of Unauthorized Access Vulnerability (CVE-2024-38821), classified as critical in threat level.

In some cases, Spring WebFlux applications with Spring Security authorization rules for static resources can be bypassed. Unauthorized attackers can exploit this vulnerability to bypass permission controls, access static resources, leading to the leakage of sensitive information and loss of server control. Details of the exploitation of this vulnerability have been made public on the Internet.

Affected Versions

Spring Security ≤ 5.7.12

5.8.0 ≤ Spring Security ≤ 5.8.14

6.0.0 ≤ Spring Security ≤ 6.0.12

6.1.0 ≤ Spring Security ≤ 6.1.10

6.2.0 ≤ Spring Security ≤ 6.2.6

6.3.0 ≤ Spring Security ≤ 6.3.3

Solutions

Official Solution

Secure versions:

Spring Security 5.7.13(enterprise only)

Spring Security 5.8.15(enterprise only)

Spring Security 6.0.13(enterprise only)

Spring Security 6.1.11(enterprise only)

Spring Security 6.2.7

Spring Security 6.3.4

Solution:

The latest version has been officially released by Vmware for the vulnerability patching. Affected users are recommended to update the Spring Security to the latest version.

Download link:

https://github.com/spring-projects/spring-security/tags

Note: Some versions mentioned above are only supported by enterprise versions.

Sangfor Solutions

Risky Assets Detection

Support is provided for the proactive detection of Spring Security; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:

[Sangfor Host Security] has released a detection scheme with Fingerprint ID: 0007881.

Timeline

On October 31, 2024, Sangfor FarSight Labs received notification of Spring Security Unauthorized Access to Static Resources Vulnerability.

On October 31, 2024, Sangfor FarSight Labs released a vulnerability alert.

References

https://spring.io/security/cve-2024-38821

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

See Other Product