VYPR
Critical severity9.1GHSA Advisory· Published Oct 28, 2024· Updated Apr 15, 2026

CVE-2024-38821

CVE-2024-38821

Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  • It must be a WebFlux application
  • It must be using Spring's static resources support
  • It must have a non-permitAll authorization rule applied to the static resources support

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-webMaven
< 5.7.135.7.13
org.springframework.security:spring-security-webMaven
>= 5.8.0, < 5.8.155.8.15
org.springframework.security:spring-security-webMaven
>= 6.2.0, < 6.2.76.2.7
org.springframework.security:spring-security-webMaven
>= 6.0.0, < 6.0.136.0.13
org.springframework.security:spring-security-webMaven
>= 6.1.0, < 6.1.116.1.11
org.springframework.security:spring-security-webMaven
>= 6.3.0, < 6.3.46.3.4

Affected products

27

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.