CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-38821

Critical Severity
SVRS
79/100
CVSSv3
9.1/10
EPSS
0.09577/1

CVE-2024-38821: A Spring WebFlux security bypass vulnerability allows unauthorized access to static resources. This vulnerability arises when Spring Security authorization rules on static resources are circumvented under specific conditions in WebFlux applications. Spring's static resources support must be in use and a non-permitAll authorization rule applied for the vulnerability to be exploited. With a SOCRadar Vulnerability Risk Score (SVRS) of 79, this vulnerability is approaching critical severity and requires prompt investigation. Although not exceeding the critical threshold of 80, its proximity emphasizes the urgency. This vulnerability poses a significant risk because active exploits are available, making it attractive to threat actors. Immediate patching is advised to mitigate potential unauthorized access to sensitive resources.

TAGS
In The Wild
Exploit Avaliable
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:U
C:H
I:H
A:N
PUBLICATION DATE2024-10-28
LAST MODIFIED2025-01-24

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
masa42/CVE-2024-38821-POChttps://github.com/masa42/CVE-2024-38821-POC2025-01-18
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

ISC StormCast for Wednesday, October 30th, 2024
Dr. Johannes B. Ullrich2024-10-30
ISC StormCast for Wednesday, October 30th, 2024 | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. CyberPanel RCE; Spring WebFlux Vuln; MSFT Implements DANE; Attackers Enable RDPCritical RCE Vulnerabilty in Cyberpanel https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce Spring WebFlux Vulnerability https://access.redhat.com/security/cve/cve-2024-38821 https://spring.io/security/cve-2024-38821 Inbound SMTP DANE with DNSSEC for Exchange Online https://
sans.edu
rss
forum
news
Tageszusammenfassung - 29.10.2024
CERT.at2024-12-02
Tageszusammenfassung - 29.10.2024 | End-of-Day report Timeframe: Montag 28-10-2024 18:00 - Dienstag 29-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a News New tool bypasses Google Chrome-s new cookie encryption system A researcher has released a tool to bypass Googles new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chromes-new-cookie-encryption-system/ <h3
cert.at
rss
forum
news
CVE-2024-38821 | Vmware Spring Security up to 6.3.3 WebFlux improper authorization
vuldb.com2024-10-28
CVE-2024-38821 | Vmware Spring Security up to 6.3.3 WebFlux improper authorization | A vulnerability was found in Vmware Spring Security up to 6.3.3 and classified as critical. This issue affects some unknown processing of the component WebFlux. The manipulation leads to improper authorization. The identification of this vulnerability is CVE-2024-38821. The attack may be initiated remotely. There is no exploit available. It
vuldb.com
rss
forum
news

Social Media

This is a well-written article about CVE-2024-38821 — a critical Spring authorization bypass vulnerability. The blog post provides a clear explanation of filters and handlers workflows. https://t.co/mdoMC2B5HG
0
0
3
PoC Exploit Releases for Spring WebFlux Authorization Bypass – CVE-2024-38821 - https://t.co/TBoGsxdq2s
0
0
0
PoC Exploit Releases for Spring WebFlux Authorization Bypass - CVE-2024-38821 Discover the technical details of CVE-2024-38821 exploit in Spring WebFlux and understand the potential risks it poses to your application's security. https://t.co/NAQoqUn98b
0
0
0
Warning: Critical Authorization Bypass vulnerability in #Spring WebFlux Applications. #CVE-2024-38821 CVSS: 9.1 can allow Spring Security authentication rules to be bypassed. #Patch #Patch #Patch
0
0
0
CVE-2024-38821 (CVSS 9.1) Allows Authorization Bypass in Spring WebFlux Applications https://t.co/qkzJQKM2JZ
0
0
1
CVE-2024-38821 (CVSS 9.1) Allows Authorization Bypass in Spring WebFlux Applications Learn about the critical vulnerability impacting Spring WebFlux applications and the implications for application security https://t.co/RwFr5goqsS
0
0
0
🗣 CVE-2024-38821 (CVSS 9.1) Allows Authorization Bypass in Spring WebFlux Applications https://t.co/0PfOT79zXt
0
0
0
There is a new vulnerability with elevated criticality in Vmware Spring Security (CVE-2024-38821) https://t.co/2r3wMbodYK
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://spring.io/security/cve-2024-38821
AF854A3A-2127-422B-91AE-364DA2661108https://security.netapp.com/advisory/ntap-20250124-0006/
[email protected]https://spring.io/security/cve-2024-38821

CWE Details

CWE IDCWE NameDescription
CWE-770Allocation of Resources Without Limits or ThrottlingThe software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence