Описание
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true:
- It must be a WebFlux application
- It must be using Spring's static resources support
- It must have a non-permitAll authorization rule applied to the static resources support
An authorization bypass vulnerability was found in Spring WebFlux applications, impacting static resources under specific conditions. If an application uses Spring's static resources support with restricted (non-permitAll) authorization rules, unauthorized access to these resources may be possible.
Отчет
This issue is classified as a moderate severity vulnerability because it impacts only specific configurations in Spring WebFlux applications and does not compromise dynamic or core application functionality. To exploit this vulnerability, the application must not only be using Spring WebFlux but must also serve static resources with non-permitAll authorization rules. Furthermore, the breach affects only static resources—such as CSS, JavaScript, or images—that, while potentially sensitive, do not contain dynamic, user-specific data or functional endpoints that interact directly with business logic. Red Hat JBoss Enterprise Application Platform (EAP/XP) is not affected by this issue, as they do not utilize Spring WebFlux or the associated static resources functionality, either at runtime or within distributed repositories. This architecture eliminates the conditions necessary for this vulnerability to be exploited.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel - HawtIO 4 | org.springframework/spring-webflux | Not affected | ||
| Red Hat Fuse 7 | org.springframework/spring-webflux | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | org.springframework/spring-webflux | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.springframework/spring-webflux | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.springframework/spring-webflux | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications
Уязвимость функционального веб-фреймворка WebFlux.fn программной платформы Spring Framework, позволяющая нарушителю оказать воздействие на конфидециальность, целостность и доступность защищаемой информации
EPSS
7.4 High
CVSS3