Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
5faaff38ba
PromucFlow_constructor/app
History
subratadeypappu 5faaff38ba
fix: CVE-2024-38821 (#41188) 
## Description
CVE-2024-38821 is an authorization-bypass affecting Spring WebFlux apps
that apply non-permitAll rules to static resources. The fix for
CVE-2024-38821 is in Spring Security 6.3.4+.
[Ref](https://spring.io/security/cve-2024-38821)

Mitigation Strategy:
We are upgrading Spring Boot to 3.3.13 which officially manages Spring
Security versions. Spring Security 6.3.10 is well beyond the minimum
required 6.3.4+


### Verification

Verification Results:
1. Spring Security Version Check:  SECURE
Current Version: Spring Security 6.3.10
Vulnerable Range: 6.3.0-6.3.3
Status:  NOT VULNERABLE - Version 6.3.10 is well beyond the vulnerable
range
2. All Spring Security Components Verified:  SECURE
 spring-security-web: 6.3.10
 spring-security-oauth2-client: 6.3.10
 spring-security-oauth2-core: 6.3.10
 spring-security-oauth2-jose: 6.3.10
 spring-security-config: 6.3.10
 spring-security-crypto: 6.3.10
 spring-security-test: 6.3.10
3. No Vulnerable Versions Detected:  CLEAN
 No Spring Security 6.3.0-6.3.3 versions found
 No vulnerable Spring Security components detected

Fixes #`Issue Number`  
_or_  
Fixes `Issue URL`
> [!WARNING]  
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags="@tag.Sanity"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/17201170729>
> Commit: d588e5da0afe52b94730871b77ada4ab9b92c20e
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=17201170729&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Mon, 25 Aug 2025 07:17:32 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Spring Boot parent to 3.3.13 to improve stability,
compatibility, and maintenance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-08-25 18:04:59 +06:00
..
client feat: update environment switch tooltip from business to enterprise plan (#41168) 2025-08-20 04:35:23 -07:00
server fix: CVE-2024-38821 (#41188) 2025-08-25 18:04:59 +06:00
util