fix: CVE-2024-38821 (#41188)

## Description
CVE-2024-38821 is an authorization-bypass affecting Spring WebFlux apps
that apply non-permitAll rules to static resources. The fix for
CVE-2024-38821 is in Spring Security 6.3.4+.
[Ref](https://spring.io/security/cve-2024-38821)

Mitigation Strategy:
We are upgrading Spring Boot to 3.3.13 which officially manages Spring
Security versions. Spring Security 6.3.10 is well beyond the minimum
required 6.3.4+


### Verification

Verification Results:
1. Spring Security Version Check: ✅ SECURE
Current Version: Spring Security 6.3.10
Vulnerable Range: 6.3.0-6.3.3
Status: ✅ NOT VULNERABLE - Version 6.3.10 is well beyond the vulnerable
range
2. All Spring Security Components Verified: ✅ SECURE
✅ spring-security-web: 6.3.10
✅ spring-security-oauth2-client: 6.3.10
✅ spring-security-oauth2-core: 6.3.10
✅ spring-security-oauth2-jose: 6.3.10
✅ spring-security-config: 6.3.10
✅ spring-security-crypto: 6.3.10
✅ spring-security-test: 6.3.10
3. No Vulnerable Versions Detected: ✅ CLEAN
❌ No Spring Security 6.3.0-6.3.3 versions found
❌ No vulnerable Spring Security components detected

Fixes #`Issue Number`  
_or_  
Fixes `Issue URL`
> [!WARNING]  
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags="@tag.Sanity"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/17201170729>
> Commit: d588e5da0afe52b94730871b77ada4ab9b92c20e
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=17201170729&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Mon, 25 Aug 2025 07:17:32 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Spring Boot parent to 3.3.13 to improve stability,
compatibility, and maintenance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

This commit is contained in:

subratadeypappu

2025-08-25 18:04:59 +06:00

committed by

GitHub

parent ae2f286a13

commit 5faaff38ba

No known key found for this signature in database

GPG Key ID: B5690EEEBB952194

1 changed files with 1 additions and 2 deletions

									
										3

app/server/pom.xml
									
										View File
										
				@ -7,7 +7,7 @@

				    <parent>

				        <groupId>org.springframework.boot</groupId>

				        <artifactId>spring-boot-starter-parent</artifactId>

				        <version>3.3.3</version>

				        <version>3.3.13</version>

				        <relativePath/>

				        <!-- lookup parent from repository -->

				    </parent>

				@ -52,7 +52,6 @@

				        <spotless.version>2.36.0</spotless.version>

				        <testcontainers.version>1.20.1</testcontainers.version>

				    </properties>

				    <build>

				        <resources>

				            <resource>

fix: CVE-2024-38821 (#41188)

3 app/server/pom.xml Unescape Escape View File

3

app/server/pom.xml

View File