From 5faaff38ba6018be7791b7dcb2ccd5a091038271 Mon Sep 17 00:00:00 2001
From: subratadeypappu <subrata@appsmith.com>
Date: Mon, 25 Aug 2025 18:04:59 +0600
Subject: [PATCH] fix: CVE-2024-38821 (#41188)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Description
CVE-2024-38821 is an authorization-bypass affecting Spring WebFlux apps
that apply non-permitAll rules to static resources. The fix for
CVE-2024-38821 is in Spring Security 6.3.4+.
[Ref](https://spring.io/security/cve-2024-38821)

Mitigation Strategy:
We are upgrading Spring Boot to 3.3.13 which officially manages Spring
Security versions. Spring Security 6.3.10 is well beyond the minimum
required 6.3.4+


### Verification

Verification Results:
1. Spring Security Version Check: ✅ SECURE
Current Version: Spring Security 6.3.10
Vulnerable Range: 6.3.0-6.3.3
Status: ✅ NOT VULNERABLE - Version 6.3.10 is well beyond the vulnerable
range
2. All Spring Security Components Verified: ✅ SECURE
✅ spring-security-web: 6.3.10
✅ spring-security-oauth2-client: 6.3.10
✅ spring-security-oauth2-core: 6.3.10
✅ spring-security-oauth2-jose: 6.3.10
✅ spring-security-config: 6.3.10
✅ spring-security-crypto: 6.3.10
✅ spring-security-test: 6.3.10
3. No Vulnerable Versions Detected: ✅ CLEAN
❌ No Spring Security 6.3.0-6.3.3 versions found
❌ No vulnerable Spring Security components detected

Fixes #`Issue Number`
_or_
Fixes `Issue URL`
> [!WARNING]
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags="@tag.Sanity"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/17201170729>
> Commit: d588e5da0afe52b94730871b77ada4ab9b92c20e
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=17201170729&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Mon, 25 Aug 2025 07:17:32 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Spring Boot parent to 3.3.13 to improve stability,
compatibility, and maintenance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 app/server/pom.xml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/server/pom.xml b/app/server/pom.xml
index 31ecd38c58..4eda7baa89 100644
--- a/app/server/pom.xml
+++ b/app/server/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.3.3</version>
+        <version>3.3.13</version>
         <relativePath/>
         <!-- lookup parent from repository -->
     </parent>
@@ -52,7 +52,6 @@
         <spotless.version>2.36.0</spotless.version>
         <testcontainers.version>1.20.1</testcontainers.version>
     </properties>
-
     <build>
         <resources>
             <resource>