CVE-2024-38821: Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications

The vulnerability (CVE-2024-38821) describes an authorization bypass for static resources in Spring WebFlux applications due to un-normalized URLs. The provided patches (commits 0e257b56ce35402558a260ffa6b368982f9a7934 and 4ce7cde15599c0447163fd46bac616e03318bf5b) introduce a ServerWebExchangeFirewall (specifically StrictServerWebExchangeFirewall) into the org.springframework.security.web.server.WebFilterChainProxy class. The core change is within the filter method of WebFilterChainProxy. Before this patch, the filter method took the ServerWebExchange and directly used it (and its associated request path) to determine which security filters to apply, notably in the call securityWebFilterChain.matches(exchange). The StrictServerWebExchangeFirewall added by the patch is designed to, among other things, ensure URL normalization. The fact that this firewall was added here indicates that the filter method was previously processing potentially un-normalized (and thus malicious) request paths. This un-normalized input could then lead to incorrect matching and bypass of security constraints for static resources. Therefore, WebFilterChainProxy.filter is identified as the vulnerable function because it processed the unsanitized, potentially malicious input (the un-normalized URL in ServerWebExchange) and used it for security-sensitive matching operations.