Summary: A newly discovered path traversal vulnerability (CVE-2024-38819) in the Spring Framework poses a significant security risk, allowing attackers to access sensitive files through crafted HTTP requests. The vulnerability affects multiple versions of the framework and has been assigned a CVSS score of 7.5, prompting urgent updates from the Spring Framework team.
Threat Actor: Unknown | unknown
Victim: Spring Framework Users | Spring Framework
Key Point :
- Path traversal vulnerability allows access to files readable by the Spring application process.
- Attackers can exploit this flaw to retrieve sensitive information such as configuration files and credentials.
- Multiple affected versions include 5.3.0 to 5.3.406, 6.0.0 to 6.0.246, and 6.1.0 to 6.1.13.
- Users are urged to upgrade to patched versions immediately to mitigate the risk.
A newly disclosed path traversal vulnerability, tracked as CVE-2024-38819, has been found in the widely used Spring Framework. This vulnerability, which has been assigned a CVSS score of 7.5, poses a significant security risk to applications serving static resources via WebMvc.fn or WebFlux.fn functional web frameworks.
The path traversal vulnerability arises when static resources are served through the functional web frameworks of Spring, WebMvc.fn and WebFlux.fn. By crafting malicious HTTP requests, attackers can exploit this vulnerability to access files that are readable by the same process running the Spring application. The potential scope of this attack could be wide-ranging, as attackers might retrieve files that contain sensitive information such as configuration files, logs, or even credentials.
In their advisory, Spring Framework’s project team explains, “an attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.” This flaw is reminiscent of a similar vulnerability, CVE-2024-38816, but involves different input mechanisms.
CVE-2024-38819 was responsibly disclosed by Masato Anzai of Aeye Security Lab, Inc, alongside a second anonymous researcher.
The advisory lists multiple affected versions of the Spring Framework, including:
- 5.3.0 to 5.3.40
- 6.0.0 to 6.0.24
- 6.1.0 to 6.1.13
- Older, unsupported versions of Spring are also vulnerable.
To address the issue, the Spring Framework team has released patches. Users running affected versions are strongly advised to upgrade immediately to the following fixed versions:
- 5.3.x users should upgrade to 5.3.41
- 6.0.x users should upgrade to 6.0.25
- 6.1.x users should upgrade to 6.1.14