Bug 2322098 (CVE-2024-38821)

Summary: CVE-2024-38821 Spring-WebFlux: Authorization Bypass of Static Resources in WebFlux Applications
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, gmalinko, istudens, ivassile, iweiss, janstey, kaycoth, lgao, mosmerov, msochure, msvehla, nwallace, parichar, pdelbell, pjindal, pmackay, rstancel, rstepani, smaestri, tasato, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An authorization bypass vulnerability was found in Spring WebFlux applications, impacting static resources under specific conditions. If an application uses Spring's static resources support with restricted (non-permitAll) authorization rules, unauthorized access to these resources may be possible.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-28 08:01:04 UTC 
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  *  It must be a WebFlux application
  *  It must be using Spring's static resources support
  *  It must have a non-permitAll authorization rule applied to the static resources support