October 29, 2024 at 10:42AM
A critical-severity vulnerability (CVE-2024-38821) has been disclosed for Spring WebFlux applications, potentially allowing security rule bypass when specific conditions are met. While Spring rates it as critical (9.1 CVSS), some, like IBM, assess it as moderate (7.4). Updated versions are available for affected releases.
### Meeting Notes Takeaways
**Vulnerability Disclosure:**
– A critical-severity vulnerability (CVE-2024-38821) has been disclosed affecting applications built using Spring WebFlux.
**Conditions for Vulnerability:**
– An application is only deemed vulnerable if:
1. It uses Spring WebFlux.
2. It employs the framework’s static resources support.
3. It has a non-permitAll authorization rule on static resources.
– All three conditions must be met for an app to be considered vulnerable.
**Severity Ratings:**
– The vulnerability has a CVSS rating of 9.1 (critical) from Spring and the National Vulnerability Database (NVD).
– IBM assesses the severity as moderately lower at 7.4, indicating a moderate risk due to specific configuration requirements.
– Italy’s CSIRT-ITA rates the impact as “high” (65.51 out of 100).
**Impacted Versions of Spring:**
– The following versions are affected and have fixed versions available:
– **5.7.x** – fixed version: 5.7.13
– **5.8.x** – fixed version: 5.8.15
– **6.0.x** – fixed version: 6.0.13
– **6.1.x** – fixed version: 6.1.11
– **6.2.x** – fixed version: 6.2.7
– Older, unsupported versions are also affected.
**General Information:**
– Spring is widely used in the Java ecosystem, significantly relied upon by a substantial percentage of Java applications.
– Although potentially sensitive, the vulnerability affects only static resources (e.g., CSS, JavaScript, images) that do not contain dynamic or user-specific data.
**Next Steps:**
– It is recommended that organizations using affected versions of Spring WebFlux review their configurations and update to the fixed versions if they meet the specified conditions for vulnerability.