CVE-2024-38816: Path Traversal Vulnerability Discovered in Spring Framework

A significant path traversal vulnerability has been discovered in the Spring Framework: CVE-2024-38816. This vulnerability allows attackers to exploit the way static resources are served through certain functional web frameworks, potentially exposing sensitive files on the server.

CVE-2024-38816

This vulnerability affects Spring Framework versions 5.3.0 to 5.3.39, 6.0.0 to 6.0.23, and 6.1.0 to 6.1.12. The vulnerability is caused by improper handling of static resources in applications using the WebMvc.fn or WebFlux.fn frameworks, allowing attackers to craft malicious HTTP requests and access files within the file system that are accessible to the Spring application.

This vulnerability does not affect all Spring Applications, and applications may already be protected if either is true:

• Spring Security's HTTP Firewall is enabled.
• The application is deployed on Tomcat or Jetty servers, as these web servers block such malicious requests.

However, the application is at risk if both of the following conditions are in place:

• The application uses RouterFunctions to serve static resources.
• Resource handling is configured with a FileSystemResource location.

Fixes for This Vulnerability

‍Fixes for the CVE-2024-38816 vulnerability have been made available, and Spring Framework users are encouraged to upgrade to the following versions to mitigate the issue:

• For Spring Framework 5.3.x, upgrade to 5.3.39-spring-framework-5.3.41, available through HeroDevs' Never-Ending Support for Spring.
• For Spring Framework 6.1.x, upgrade to 6.1.13, available through Open Source Support.

The following packages are affected by this vulnerability:

• org.springframework:spring-webflux
• org.springframework:spring-webmvc

For users on older, unsupported versions, it is recommended that Spring Security's HTTP Firewall be enabled or switched to alternative web servers such as Tomcat or Jetty to block malicious requests and secure their applications from this vulnerability.

Why Upgrade with HeroDevs?

HeroDevs offers comprehensive support for legacy software like Spring Framework, providing security patches and long-term maintenance for businesses relying on end-of-life (EOL) software.

Key benefits of HeroDevs’ Never-Ending Support for Spring include:

• Security Updates: Immediate fixes for vulnerabilities like CVE-2024-38816, ensuring your applications are protected against known exploits.
• Seamless Integration: Drop-in replacements that work effortlessly with your existing Spring setup.
• Regulatory Compliance: Ongoing updates to help your business meet industry security and regulatory standards like HIPAA, FedRAMP, and SOC 2.
• Expert Support: Backed by a team of specialists deeply experienced with Spring Framework and web security.

Conclusion

The CVE-2024-38816 vulnerability presents a serious security risk to applications using affected versions of Spring Framework, potentially allowing unauthorized access to sensitive files. By upgrading to the latest fixed versions and utilizing the Spring Security HTTP Firewall or switching to a more secure web server like Tomcat or Jetty, organizations can protect their systems from this path traversal attack.

Secure your applications today by upgrading to the latest version of Spring Framework, or consider HeroDevs’ Never-Ending Support for Spring for long-term protection.