Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: CVE-2024-38821 (#41188)

Browse Source 
## Description
CVE-2024-38821 is an authorization-bypass affecting Spring WebFlux apps
that apply non-permitAll rules to static resources. The fix for
CVE-2024-38821 is in Spring Security 6.3.4+.
[Ref](https://spring.io/security/cve-2024-38821)

Mitigation Strategy:
We are upgrading Spring Boot to 3.3.13 which officially manages Spring
Security versions. Spring Security 6.3.10 is well beyond the minimum
required 6.3.4+


### Verification

Verification Results:
1. Spring Security Version Check:  SECURE
Current Version: Spring Security 6.3.10
Vulnerable Range: 6.3.0-6.3.3
Status:  NOT VULNERABLE - Version 6.3.10 is well beyond the vulnerable
range
2. All Spring Security Components Verified:  SECURE
 spring-security-web: 6.3.10
 spring-security-oauth2-client: 6.3.10
 spring-security-oauth2-core: 6.3.10
 spring-security-oauth2-jose: 6.3.10
 spring-security-config: 6.3.10
 spring-security-crypto: 6.3.10
 spring-security-test: 6.3.10
3. No Vulnerable Versions Detected:  CLEAN
 No Spring Security 6.3.0-6.3.3 versions found
 No vulnerable Spring Security components detected

Fixes #`Issue Number`  
_or_  
Fixes `Issue URL`
> [!WARNING]  
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags="@tag.Sanity"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/17201170729>
> Commit: d588e5da0afe52b94730871b77ada4ab9b92c20e
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=17201170729&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Mon, 25 Aug 2025 07:17:32 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Spring Boot parent to 3.3.13 to improve stability,
compatibility, and maintenance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
subratadeypappu 2025-08-25 18:04:59 +06:00 committed by GitHub
parent ae2f286a13
commit 5faaff38ba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/server/pom.xml
View File

@ -7,7 +7,7 @@
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.3</version> <version>3.3.13</version>
<relativePath/> <relativePath/>
<!-- lookup parent from repository --> <!-- lookup parent from repository -->
</parent> </parent>
@ -52,7 +52,6 @@
<spotless.version>2.36.0</spotless.version> <spotless.version>2.36.0</spotless.version>
<testcontainers.version>1.20.1</testcontainers.version> <testcontainers.version>1.20.1</testcontainers.version>
</properties> </properties>
<build> <build>
<resources> <resources>
<resource> <resource>