CVE-2024-38819
📋 TL;DR
Spring applications using WebMvc.fn or WebFlux.fn functional web frameworks to serve static resources are vulnerable to path traversal attacks. Attackers can craft HTTP requests to access any file accessible to the Spring application process. This affects applications using these specific Spring framework components with default or misconfigured static resource handling.
💻 Affected Systems
- Spring Framework
- Spring Boot applications using WebMvc.fn or WebFlux.fn
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete file system compromise allowing reading of sensitive files like configuration files, credentials, private keys, and application source code, potentially leading to full system takeover.
Likely Case
Unauthorized access to configuration files, source code, or other sensitive files stored in accessible directories, leading to information disclosure and potential credential theft.
If Mitigated
Limited impact if proper file system permissions restrict application process access and sensitive files are stored outside accessible paths.
🎯 Exploit Status
Exploitation requires only HTTP requests with crafted paths. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Spring Framework 6.1.19 or 6.0.29
Vendor Advisory: https://spring.io/security/cve-2024-38819
Restart Required: Yes
Instructions:
1. Update Spring Framework to version 6.1.19 or 6.0.29. 2. Update Spring Boot to version 3.3.2 or 3.2.10 if using Spring Boot. 3. Restart the application.
🔧 Temporary Workarounds
Disable static resource serving via functional endpoints
allSwitch to using traditional annotation-based controllers for serving static resources instead of WebMvc.fn or WebFlux.fn functional endpoints.
Implement custom path validation
allAdd server-side validation to reject requests containing path traversal sequences like '../' or absolute paths.
🧯 If You Can't Patch
- Implement strict file system permissions to limit what files the application process can access
- Use web application firewall (WAF) rules to block requests containing path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check if application uses WebMvc.fn or WebFlux.fn for static resource serving and runs on vulnerable Spring Framework versions.Check Version:
Check application dependencies or use: java -cp [application.jar] org.springframework.boot.loader.JarLauncher --versionVerify Fix Applied:
Verify Spring Framework version is 6.1.19+, 6.0.29+, or Spring Boot 3.3.2+/3.2.10+. Test with path traversal requests that should be rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences
- Access to unexpected file paths in static resource handlers
- 403 or 404 errors for path traversal attempts after patching
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f, ..%2f)
- Requests to non-standard static resource paths
SIEM Query:
http.url:*%2e%2e* OR http.uri:*..* AND (http.user_agent:*Spring* OR destination.port:8080)