Ethical Hacking News
Spring framework users must act quickly to patch a newly disclosed critical-severity vulnerability that could allow attackers to bypass security rules and exploit sensitive data.
The Spring framework has been identified as vulnerable to a critical-severity vulnerability (CVE-2024-38821) that could allow attackers to bypass security rules and exploit sensitive data. 60% of Java apps rely on the Spring framework, making it a widely used but vulnerable component. The vulnerability affects specific configurations in Spring WebFlux applications with non-permitAll authorization rules applied to static resources. Attackers must exploit three conditions (Spring WebFlux use, serving of static resources, and non-permitAll authorization) for an application to be considered vulnerable. The vulnerability's severity has been assessed as critical by some sources (e.g., Spring itself), but others have disputed this assessment, assigning lower severity scores. Developers are advised to apply patches and updates for affected versions of the Spring framework to mitigate the risk posed by CVE-2024-38821.
The open-source Spring framework has been identified as vulnerable to a critical-severity vulnerability, CVE-2024-38821, which could allow attackers to bypass security rules and exploit sensitive data. This vulnerability specifically affects applications developed using Spring WebFlux, with the potential for significant harm to organizations that rely on these applications.
According to Snyk research from 2020, the Spring framework is widely used in Java applications, with 60% of Java apps relying on it. More recent findings from Incus Data showed that Spring Boot was relied upon by 58-72% of apps and Spring MVC was used by 29-41%. This widespread adoption makes the vulnerability all the more concerning.
The vulnerability affects only specific configurations in Spring WebFlux applications, where non-permitAll authorization rules are applied to static resources support. Static resources include CSS, JavaScript, or images that do not contain dynamic, user-specific data or functional endpoints that interact directly with business logic.
Attackers must exploit a combination of three conditions for an application to be considered vulnerable: (1) it must use Spring WebFlux, (2) it must serve static resources, and (3) it must apply non-permitAll authorization rules. If these conditions are met, attackers can bypass security rules and potentially access sensitive data.
The severity of the vulnerability was initially assessed as critical with a CVSS rating of 9.1 by Spring itself and the National Vulnerability Database (NVD). However, vendors like Red Hat disputed this assessment, assigning a lower severity score of 7.4. IBM's enterprise Linux subsidiary also reassessed the vulnerability's impact, determining it to be moderate due to its limited scope.
The advisory from Italy's Computer Security Incident Response Team (CSIRT-ITA) took a more conservative approach, assessing the impact as high with an assessment score of 65.51 out of a possible 100. This reflects a more cautious evaluation of the vulnerability's potential consequences.
To mitigate the risk posed by CVE-2024-38821, developers are advised to apply patches and updates for affected versions of Spring framework. The most recent fixed versions are 5.7.13, 5.8.15, 6.0.13, 6.1.11, and 6.2.7.
As with any vulnerability, it is essential for organizations that rely on the Spring framework to take immediate action to patch their applications. This will help prevent potential exploitation by attackers who could use this vulnerability to gain unauthorized access to sensitive data or disrupt business operations.
In conclusion, CVE-2024-38821 highlights the importance of ongoing vulnerability management and the need for developers to stay informed about the latest security patches and updates. By taking proactive measures to address this critical vulnerability, organizations can reduce their risk exposure and protect against potential attacks.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/29/admins_spring_into_action_over/
Published: Tue Oct 29 11:27:40 2024 by llama3.2 3B Q4_K_M
