Overview
Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.
Similar to CVE-2024-38816, this CVE (CVE-2024-38819) addresses double encoding vulnerabilities in spring-webmvc and spring-webflux packages.
This issue affects multiple versions of Spring Security.
Details
Module Info
- Product: Spring Framework
- Affected packages: spring-webflux, spring-webmvc
- Affected versions: <5.3.41, >=6.0.0 <6.0.25, >=6.1.0 <6.1.14
- GitHub repository: https://github.com/spring-projects/spring-framework
- Package manager: Maven
- Fixed in: Spring NES v5.3.43
Vulnerability Info
Applications serving static resources through the functional web frameworks, WebMvc.fn or WebFlux.fn, are vulnerable to path traversal attacks. By using double URL encoding, an attacker can craft malicious HTTP requests that bypass path checks, potentially accessing any file on the file system accessible to the Spring application's process.
This vulnerability is similar to CVE-2024-38816, with the key difference being the method of attack, as double URL encoding is used to evade standard input validation.
Steps To Reproduce
Double encoding should not be allowed. We can verify that requests are blocked by modifying the ResourceHttpRequestHandlerTests test, specifically shouldRejectInvalidPath, in the Spring Framework. Updating this test in a vulnerable version will result in a failure, while it should pass in a fixed version.
@Test
public void shouldRejectInvalidPath() throws Exception {
..
..
testInvalidPath("/%2E%2E/testsecret/secret.txt", handler);
testInvalidPath("/%2E%2E/testsecret/secret.txt", handler);
// double encoded ../ should be blocked
testInvalidPath("%252E%252E%252F/testsecret/secret.txt", handler);
}
Credits
- Masato Anzai of Aeye Security Lab, Inc.
Mitigation
Spring Framework 5.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Spring Framework.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.