By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-38819

Path Traversal

Affects

Spring Framework

>= 6.1.0, < 6.1.14 >= 6.0.0, < 6.0.25 < 5.3.41

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

Similar to CVE-2024-38816, this CVE addresses double encoding vulnerabilities in spring-webmvc and spring-webflux packages.

‍

Details

Module Info

Product: Spring Framework
Affected packages: spring-webflux, spring-webmvc
Affected versions: >= 6.1.0, < 6.1.14, >= 6.0.0, < 6.0.25, < 5.3.41
GitHub repository: https://github.com/spring-projects/spring-framework
Package manager: Maven
Fixed in: Spring NES v5.3.43

‍

Vulnerability Info

Applications serving static resources through the functional web frameworks, WebMvc.fn or WebFlux.fn, are vulnerable to path traversal attacks. By using double URL encoding, an attacker can craft malicious HTTP requests that bypass path checks, potentially accessing any file on the file system accessible to the Spring application's process.

This vulnerability is similar to CVE-2024-38816, with the key difference being the method of attack, as double URL encoding is used to evade standard input validation.

‍

Steps To Reproduce

Double encoding should not be allowed. We can verify that requests are blocked by modifying the ResourceHttpRequestHandlerTests test, specifically shouldRejectInvalidPath, in the Spring Framework. Updating this test in a vulnerable version will result in a failure, while it should pass in a fixed version.

@Test
public void shouldRejectInvalidPath() throws Exception {
		..
		..
		testInvalidPath("/%2E%2E/testsecret/secret.txt", handler);
		testInvalidPath("/%2E%2E/testsecret/secret.txt", handler);
		// double encoded ../ should be blocked
		testInvalidPath("%252E%252E%252F/testsecret/secret.txt", handler);
	}

‍

Mitigation

Spring Framework 5.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Framework
Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

Masato Anzai of Aeye Security Lab, Inc

‍

What is a HeroDevs Security Advisory?

Vulnerability Details

CVE-2024-38819

PROJECT Affected

Spring Framework

Versions Affected

>= 6.1.0, < 6.1.14 >= 6.0.0, < 6.0.25 < 5.3.41

Published date

October 30, 2024

≈ Fix date

October 30, 2024

Fixed in

NES for Spring

Severity

High