{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38821", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:06.583Z", "datePublished": "2024-10-28T07:06:13.404Z", "dateUpdated": "2025-01-24T20:03:04.932Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Spring Security", "product": "Spring", "vendor": "Spring", "versions": [{"lessThan": "5.7.13", "status": "affected", "version": "5.7.x", "versionType": "Enterprise Support Only"}, {"lessThan": "5.8.15", "status": "affected", "version": "5.8.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.0.13", "status": "affected", "version": "6.0.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.1.11", "status": "affected", "version": "6.1.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.2.7", "status": "affected", "version": "6.2.x", "versionType": "OSS"}, {"lessThan": "6.3.4", "status": "affected", "version": "6.3.x", "versionType": "OSS"}]}], "datePublic": "2024-10-22T05:34:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.</p><p>For this to impact an application, all of the following must be true:</p><ul><li>It must be a WebFlux application</li><li>It must be using Spring's static resources support</li><li>It must have a non-permitAll authorization rule applied to the static resources support</li></ul><br>"}], "value": "Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\n\nFor this to impact an application, all of the following must be true:\n\n  *  It must be a WebFlux application\n  *  It must be using Spring's static resources support\n  *  It must have a non-permitAll authorization rule applied to the static resources support"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-10-28T07:06:13.404Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38821"}], "source": {"discovery": "UNKNOWN"}, "title": "Authorization Bypass of Static Resources in WebFlux Applications", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "affected": [{"vendor": "spring", "product": "webflux", "cpes": ["cpe:2.3:a:spring:webflux:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.7.x", "status": "affected", "lessThan": "5.7.13", "versionType": "custom"}, {"version": "5.8x", "status": "affected", "lessThan": "5.8.15", "versionType": "custom"}, {"version": "6.0x", "status": "affected", "lessThan": "6.0.13", "versionType": "custom"}, {"version": "6.1x", "status": "affected", "lessThan": "6.1.11", "versionType": "custom"}, {"version": "6.2x", "status": "affected", "lessThan": "6.2.7", "versionType": "custom"}, {"version": "6.3x", "status": "affected", "lessThan": "6.3.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-31T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-38821"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T03:55:20.442Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250124-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-24T20:03:04.932Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38821", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-28T12:31:35.974420Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:spring:webflux:*:*:*:*:*:*:*:*"], "vendor": "spring", "product": "webflux", "versions": [{"status": "affected", "version": "5.7.x", "lessThan": "5.7.13", "versionType": "custom"}, {"status": "affected", "version": "5.8x", "lessThan": "5.8.15", "versionType": "custom"}, {"status": "affected", "version": "6.0x", "lessThan": "6.0.13", "versionType": "custom"}, {"status": "affected", "version": "6.1x", "lessThan": "6.1.11", "versionType": "custom"}, {"status": "affected", "version": "6.2x", "lessThan": "6.2.7", "versionType": "custom"}, {"status": "affected", "version": "6.3x", "lessThan": "6.3.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T12:37:58.707Z"}}], "cna": {"title": "Authorization Bypass of Static Resources in WebFlux Applications", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring", "versions": [{"status": "affected", "version": "5.7.x", "lessThan": "5.7.13", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "5.8.x", "lessThan": "5.8.15", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.0.x", "lessThan": "6.0.13", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.1.x", "lessThan": "6.1.11", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.2.x", "lessThan": "6.2.7", "versionType": "OSS"}, {"status": "affected", "version": "6.3.x", "lessThan": "6.3.4", "versionType": "OSS"}], "packageName": "Spring Security", "defaultStatus": "affected"}], "datePublic": "2024-10-22T05:34:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38821"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\n\nFor this to impact an application, all of the following must be true:\n\n  *  It must be a WebFlux application\n  *  It must be using Spring's static resources support\n  *  It must have a non-permitAll authorization rule applied to the static resources support", "supportingMedia": [{"type": "text/html", "value": "<p>Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.</p><p>For this to impact an application, all of the following must be true:</p><ul><li>It must be a WebFlux application</li><li>It must be using Spring's static resources support</li><li>It must have a non-permitAll authorization rule applied to the static resources support</li></ul><br>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-10-28T07:06:13.404Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38821", "state": "PUBLISHED", "dateUpdated": "2024-11-01T03:55:20.442Z", "dateReserved": "2024-06-19T22:32:06.583Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-10-28T07:06:13.404Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\n\nFor this to impact an application, all of the following must be true:\n\n  *  It must be a WebFlux application\n  *  It must be using Spring's static resources support\n  *  It must have a non-permitAll authorization rule applied to the static resources support"}, {"lang": "es", "value": "Las aplicaciones WebFlux de Spring que tienen reglas de autorizaci\u00f3n de Spring Security sobre recursos est\u00e1ticos pueden omitirse en determinadas circunstancias. Para que esto afecte a una aplicaci\u00f3n, deben cumplirse todas las condiciones siguientes: * Debe ser una aplicaci\u00f3n WebFlux * Debe utilizar el soporte de recursos est\u00e1ticos de Spring * Debe tener una regla de autorizaci\u00f3n que no sea permitAll aplicada al soporte de recursos est\u00e1ticos"}], "id": "CVE-2024-38821", "lastModified": "2025-01-24T20:15:32.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-10-28T07:15:07.633", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2024-38821"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250124-0006/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring-WebFlux: Authorization Bypass of Static Resources in WebFlux Applications", "id": "2322098", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322098"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\nFor this to impact an application, all of the following must be true:\n*  It must be a WebFlux application\n*  It must be using Spring's static resources support\n*  It must have a non-permitAll authorization rule applied to the static resources support", "An authorization bypass vulnerability was found in Spring WebFlux applications, impacting static resources under specific conditions. If an application uses Spring's static resources support with restricted (non-permitAll) authorization rules, unauthorized access to these resources may be possible."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-38821", "package_state": [{"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "org.springframework/spring-webflux", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.springframework/spring-webflux", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.springframework/spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.springframework/spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-10-28T07:06:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38821\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38821\nhttps://spring.io/security/cve-2024-38821"], "statement": "This issue is classified as a moderate severity vulnerability because it impacts only specific configurations in Spring WebFlux applications and does not compromise dynamic or core application functionality. To exploit this vulnerability, the application must not only be using Spring WebFlux but must also serve static resources with non-permitAll authorization rules. Furthermore, the breach affects only static resources\u2014such as CSS, JavaScript, or images\u2014that, while potentially sensitive, do not contain dynamic, user-specific data or functional endpoints that interact directly with business logic.\nRed Hat JBoss Enterprise Application Platform (EAP/XP) is not affected by this issue, as they do not utilize Spring WebFlux or the associated static resources functionality, either at runtime or within distributed repositories. This architecture eliminates the conditions necessary for this vulnerability to be exploited.", "threat_severity": "Moderate"}