Spring WebApplications Vulnerable to Path Traversal Attacks

CVE-2024-38816

7.5HIGH

Key Information

Vendor
Spring
Status
Spring
Vendor
CVE Published:
13 September 2024

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

Summary

The vulnerability with the ID CVE-2024-38816 affects Spring WebApplications that serve static resources through WebMvc.fn or WebFlux.fn. This vulnerability allows attackers to perform path traversal attacks, resulting in the unauthorized access of files on the server. It has a potential impact on the security of sensitive data, and is present in applications using RouterFunctions and explicitly configured with a FileSystemResource location. Spring Security HTTP Firewall and running the application on Tomcat or Jetty can protect against malicious requests. The vulnerability has been exploited by ransomware groups, making it crucial for organizations to apply the necessary security patches to mitigate this risk.

Affected Version(s)

Spring <= 5.3.x

Spring < 5.3.40

Spring < 6.0.24

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

App-vulnerable
Created by Anthony1078

CVE-2024-38816-PoC
Created by WULINPIN

News Articles

favicon imageTheCyberThrone

TheCyberThrone Security Week In Review – September 21, 2024

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, September 21, 2024. Microsoft Kernel Vulnerability CVE-2024-37985 exploited Microsoft has confirmed the exploitation of a Windows Kernel vuln...

3 months ago

favicon imageinfoq.com

Java News Roundup: Payara Platform, Piranha Cloud, Spring Milestones, JBang, Micrometer, Groovy

This week's Java roundup for September 9th, 2024, features news highlighting: the September 2024 Payara Platform, Piranha Cloud and Micrometer releases, Spring Framework 6.2.0-RC1, Spring Data 2024.1.

3 months ago

References

https://spring.io/security/cve-2024-38816

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by infoq.com

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database2 Proof of Concept(s)2 News Article(s)
.