Home > Vulnerability Database > CVE-2024-38821

Mend.io Vulnerability Database

CVE-2024-38821

Good to know:

Date: October 28, 2024

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.

Severity Score

9.1

Related Resources (6)

Url: https://github.com/spring-projects/spring-security/commit/4ce7cde15599c0447163fd46bac616e03318bf5b

Url: https://spring.io/security/cve-2024-38821

Url: https://github.com/spring-projects/spring-security/commit/0e257b56ce35402558a260ffa6b368982f9a7934

Url: https://github.com/spring-projects/spring-security

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38821

Url: https://www.mend.io/vulnerability-database/CVE-2024-38821

Severity Score

9.1

Weakness Type (CWE)

Improper Authorization

CWE-285

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version org.springframework.security:spring-security-web:5.7.13,5.8.15,6.0.13,6.1.11,6.2.7,6.3.4

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38821

Good to know:

Date: October 28, 2024

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?