Spring Security: Critical vulnerability enables authorization bypass
There is a critical vulnerability in VMware Tanzu Spring Security that allows attackers to bypass authorization rules.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Attackers can abuse a critical vulnerability in VMware Tanzu Spring Security to bypass authorization rules. Updated software is available to patch the vulnerability.
Spring Security is an extensively configurable authentication and access control framework that is virtually the standard for securing Spring-based applications. In a security announcement, the Spring Security developers warn that under certain circumstances in Spring Webflux applications that use Spring Security authorization rules on statistical resources, those rules can be bypassed (CVE-2024-38821, CVSS 9.1, risk"critical"). Specifically, it must be a Webflux application that uses Spring's support for static resources and applies a "do not allow everything" rule for these static resources.
Spring Security: Vulnerable versions
The vulnerability affects Spring Security 5.7.0-5.7.12, 5.8.0-5.8.14, 6.0.0-6.0.12, 6.1.0-6.1.10, 6.2.0-6.2.6, 6.3.0-6.3.3 as well as older versions that are no longer supported. Versions 5.7.13, 5.8.15, 6.0.13 and 6.1.11 are available with Enterprise Support. The updated versions 6.2.7 and 6.3.4 are available as open source software.
Videos by heise
Anyone using Spring Security should download and install the available updates as soon as possible, as the vulnerability that has been closed has been classified as a critical risk. Otherwise, attackers would have an easy time exploiting the vulnerability.
The VMware Tanzu Spring Framework often has security gaps. In March, for example, updates closed a security gap that the developers had previously tried to seal. However, it was possible to exploit it in other ways, which made further updates necessary.
(dmk)
