Spring Framework Vulnerability CVE-2024-38819: Path Traversal Risk in Web Apps
A newly disclosed path traversal vulnerability, tracked as CVE-2024-38819, has been found in the widely used Spring Framework. This vulnerability, which has been assigned a CVSS score of 7.5, poses a significant security risk to applications serving static resources via WebMvc.fn or WebFlux.fn functional web frameworks.
The path traversal vulnerability arises when static resources are served through the functional web frameworks of Spring, WebMvc.fn and WebFlux.fn. By crafting malicious HTTP requests, attackers can exploit this vulnerability to access files that are readable by the same process running the Spring application. The potential scope of this attack could be wide-ranging, as attackers might retrieve files that contain sensitive information such as configuration files, logs, or even credentials.
In their advisory, Spring Framework’s project team explains, “an attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.” This flaw is reminiscent of a similar vulnerability, CVE-2024-38816, but involves different input mechanisms.
CVE-2024-38819 was responsibly disclosed by Masato Anzai of Aeye Security Lab, Inc, alongside a second anonymous researcher.
The advisory lists multiple affected versions of the Spring Framework, including:
- 5.3.0 to 5.3.40
- 6.0.0 to 6.0.24
- 6.1.0 to 6.1.13
- Older, unsupported versions of Spring are also vulnerable.
To address the issue, the Spring Framework team has released patches. Users running affected versions are strongly advised to upgrade immediately to the following fixed versions:
- 5.3.x users should upgrade to 5.3.41
- 6.0.x users should upgrade to 6.0.25
- 6.1.x users should upgrade to 6.1.14
