CVE-2024-38821 - Improper Authorization
Severity: None2025-03-11
Abstract
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v7.1 and older | None | Oxygen Content Fusion 7.1.1 build 2024120911 |
Oxygen Feedback v5.0 and older | None | Oxygen Feedback 5.1 build 2024121116 |
Detail
CVE-2024-38821
Severity: Critical
CVSS Score: 9.1
The Spring WebFlux third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-38821 vulnerability description. However, Oxygen Content Fusion and Oxygen Feedback are not WebFlux applications. For that reason Oxygen products are not affected by this vulnerability.
Starting with Oxygen Content Fusion v7.1.1 build 2024120911 Spring WebFlux library was updatet to a version that fixes this vulnerability.
Starting with Oxygen Feedback v5.1 build 2024121116 Spring WebFlux library was updatet to a version that fixes this vulnerability.