CVE-2024-38816

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

A path traversal vulnerability (CVE-2024-38816) has been identified in Spring. This vulnerability allows attackers to exploit the application’s improper handling of file paths to access sensitive files on the server, posing the risk of data exposure and potential system compromise.

Per OWASP: A path traversal attack (also known as “dot-dot-slash”, “directory traversal”, “directory climbing”, and “backtracking”) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

This issue affects Spring Framework versions >=5.3.0, <=5.3.39, >=6.0.0, <=6.0.23, >=6.1.0, <=6.1.12

‍

Details

Module Info

• Product: Spring Framework
• Affected packages: spring-webmvc, spring-webflux
• Affected versions: >= 6.1.0, < 6.1.13, >= 6.0.0, < 6.0.24, < 5.3.40
• GitHub repository: https://github.com/spring-projects/spring-framework 
• Package manager: Maven

Vulnerability Info

This High-severity vulnerability is found in the spring-webmvc and spring-webflux packages of the Spring Framework in versions greater than or equal to 5.3.0 and less than 6.1.13. 

The vulnerability is caused by improper handling of file paths in applications serving static resources through the WebMvc.fn or WebFlux.fn functional web frameworks. By crafting malicious HTTP requests, attackers can exploit this flaw to bypass restrictions and gain access to files on the server’s file system that are accessible to the process in which the Spring application is running. This can lead to unauthorized access to sensitive data, posing a risk of data breaches and system compromise.

‍

Steps To Reproduce

Our team will update these steps as soon as more is known.

‍

Mitigation

Spring Framework 5.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

• Upgrade affected applications to supported versions of Spring Framework
• Users of older, unsupported versions could enable Spring Security's Firewall in their application, or switch to using Tomcat or Jetty as a Web server because they reject such malicious requests
• Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍

Credit

• Gabor Legrady

‍

References

• https://spring.io/security/cve-2024-38816 
• https://nvd.nist.gov/vuln/detail/CVE-2024-38816
• https://github.com/advisories/GHSA-cx7f-g6mp-7hqm 
• https://securityonline.info/cve-2024-38816-spring-framework-path-traversal-vulnerability-threatens-millions/