PT-2024-7497 · Spring · Spring Webflux
Tkswifty
·
Published
2024-10-25
·
Updated
2026-05-25
·
CVE-2024-38821
CVSS v2.0
9.4
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions:
Spring WebFlux (affected versions not specified)
Description:
The issue is caused by weaknesses in the authorization procedure of the Spring Framework's WebMvc.fn and WebFlux.fn functional web frameworks. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. For an application to be affected, it must be a WebFlux application, use Spring's static resources support, and have a non-permitAll authorization rule applied to the static resources support. An exploit for this issue has been released and is being actively exploited.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Improper Authorization
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Spring Webflux