Spring Authorization Bypass - CVE 2024-38821

Introduction

Spring announced on October 25, 2024, CVE-2024-38821, a critical vulnerability allowing attackers to access restricted resources under certain circumstances.

The vulnerability specifically impacts Spring WebFlux's static resource serving. For it to affect an application, all of the following must be true:

It must be a WebFlux application.

It must be using Spring’s static resources support.

It must have a non-permitAll authorization rule applied to the static resources support.

PoC

https://github.com/mouadk/cve-2024-38821/tree/main?ref=deep-kondah.com

REFERENCES

https://www.deep-kondah.com/spring-webflux-static-resource-access-vulnerability-cve-2024-38821-explained/
https://www.herodevs.com/blog-posts/cve-2024-38821-critical-authorization-bypass-vulnerability-in-spring-webflux-applications

PreviousApache Ghostcat - CVE 2020-1938 NextApache Solr - CVE-2024-45216

Last updated 1 month ago