CVE-2024-38821

1. Affected versions:
   • 5.6.12 and older
   • 5.7.0 – 5.7.12
   • 5.8.0 – 5.8.14
   • 6.0.0 – 6.0.12
   • 6.1.0 – 6.1.10
   • 6.2.0 – 6.2.6
   • 6.3.0 – 6.3.3
2. GitHub repository:
   • https://github.com/spring-projects/spring-security
3. Published packages:
   • https://mvnrepository.com/artifact/org.springframework.security/spring-security-web
4. Fixed In:
   • open source community version 5.8.15 (credit: Rob Winch) and in ELS for Spring Security v5.8.15.TuxCare 
 which relies on version 5.8.15 as a baseline.

Spring WebFlux applications that utilize Spring’s static resources support and have non-permitAll authorization rules applied to them may, under specific conditions, be vulnerable to unauthorized access of static resources. The vulnerability can be exploited if the application meets all the following criteria:

• It is a WebFlux application
• It uses Spring’s static resources support
• It has a non-permitAll authorization rule applied to the static resources support

Why Is This a Problem?

When all the above conditions are met, the vulnerability may permit unauthorized access to static resources, potentially exposing sensitive information or functionality.​

Set Up a Vulnerable Application:

• Create a Spring WebFlux application that serves static resources (e.g., HTML, CSS, JavaScript files).​
• Implement Spring Security with restrictive access controls on these static resources (e.g. requiring authentication).​

Attempt Unauthorized Access:

• Craft HTTP requests that manipulate the URL path to access the protected static resources.​Cybersecurity News
• For instance, accessing //index.html instead of /index.html may bypass security filters and grant unauthorized access to index.html. ​Cybersecurity News

Proof of Concept (PoC): Security researcher Mouad Kondah has provided a detailed explanation and a PoC exploit demonstrating how this vulnerability can be exploited by manipulating URL paths to bypass security filters here.

Mitigation

Spring Security 5.8.x is no longer supported by the open source community, as its End of Life date was on 2023-12-31. This means that the version from that date does not receive any updates to address this issue.

‍Users of the affected components should apply one of the following mitigations:

• Implement TuxCare’s Endless Lifecycle Support (ELS) for Spring, which delivers long-term security patches for end-of-life Spring project versions, including the  versions impacted by this CVE.
• Just upgrade to the 5.8.15 open-source community version and accept the risk of not getting any further security updates from the community.
• Alternatively take the effort to upgrade to the newer still-supported Spring Security open-source versions that have integrated a fix (e.g. version 6.3.8)

If you need a fix for this vulnerability or for any other Spring Security version, please contact us, we are here to help you!

Ask us a question here.

Learn more about Endless Lifecycle Support for Spring here.

• https://nvd.nist.gov/vuln/detail/CVE-2024-38821
• https://spring.io/security/cve-2024-38821
• spring-projects/spring-security@0e257b5
• spring-projects/spring-security@4ce7cde
• https://security.netapp.com/advisory/ntap-20250124-0006
• https://stackoverflow.com/questions/11063102/using-locales-with-javas-tolowercase-and-touppercase
• https://securityonline.info/poc-exploit-releases-for-spring-webflux-authorization-bypass-cve-2024-38821/
• https://www.deep-kondah.com/spring-webflux-static-resource-access-vulnerability-cve-2024-38821-explained/?utm_source=chatgpt.com