opensearch-build
opensearch-build copied to clipboard
opensearch-project
CVE-2024-38821 (Critical) detected in spring-security-web-5.8.7.jar
CVE-2024-38821 - Critical Severity Vulnerability
Vulnerable Library - spring-security-web-5.8.7.jar
Spring Security
Library home page: https://spring.io
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-web/5.8.7/b28db4ea3fb69adf99d2a10e61b55c5869518193/spring-security-web-5.8.7.jar
Dependency Hierarchy:
- jenkins-core-2.426.3.jar (Root Library)
- :x: spring-security-web-5.8.7.jar (Vulnerable Library)
Found in HEAD commit: c9934b385037128b6444abf6cd7fccd3a7405c2b
Found in base branch: main
Vulnerability Details
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Publish Date: 2024-10-28
URL: CVE-2024-38821
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38821
Release Date: 2024-10-28
Fix Resolution: org.springframework.security:spring-security-web:5.7.13,5.8.15,6.0.13,6.1.11,6.2.7,6.3.4
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}