CVE-2024-38816
📋 TL;DR
Spring applications using RouterFunctions to serve static resources with FileSystemResource locations are vulnerable to path traversal attacks. This allows attackers to read arbitrary files accessible to the application process. Only applications using WebMvc.fn or WebFlux.fn functional frameworks with specific configurations are affected.
💻 Affected Systems
- Spring Framework
- Spring Boot applications using Spring Framework
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete file system disclosure including sensitive configuration files, credentials, and application source code, potentially leading to full system compromise.
Likely Case
Unauthorized access to sensitive files like configuration files, environment variables, or application data stored in accessible directories.
If Mitigated
Requests blocked by Spring Security HTTP Firewall or when running on Tomcat/Jetty; otherwise limited to files within application's access permissions.
🎯 Exploit Status
Simple HTTP request manipulation required; exploit details are publicly available in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Spring Framework 6.1.14 or 6.0.22
Vendor Advisory: https://spring.io/security/cve-2024-38816
Restart Required: Yes
Instructions:
1. Update Spring Framework to version 6.1.14 or 6.0.22. 2. Update Spring Boot to latest compatible version. 3. Restart application. 4. Verify fix by testing path traversal attempts.
🔧 Temporary Workarounds
Enable Spring Security HTTP Firewall
allConfigure Spring Security to use HTTP Firewall which blocks malicious requests
Add spring-boot-starter-security dependency and configure HTTP firewall
Deploy on Tomcat or Jetty
allRun application on Tomcat or Jetty servers which block the malicious requests
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted sources only
- Deploy WAF with path traversal protection rules and monitor for attack attempts
🔍 How to Verify
Check if Vulnerable:
Check if application uses RouterFunctions with FileSystemResource for static resources and doesn't use Spring Security HTTP Firewall or run on Tomcat/JettyCheck Version:
Check Spring Framework version in pom.xml or build.gradle: grep -r 'spring.version' or check application startup logsVerify Fix Applied:
Test path traversal attempts (e.g., GET /static/../../etc/passwd) and verify they are blocked or return 404📡 Detection & Monitoring
Log Indicators:
- HTTP requests with ../ sequences in URL paths
- Failed attempts to access files outside static resource directories
- Unusual file access patterns from single IPs
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\) to static endpoints
- Multiple 404 or 403 responses for unusual file paths
SIEM Query:
http.url:*../* AND http.status_code:(404 OR 403) AND dest_port:8080