CVE-2024-38819

Path Traversal
Affects
Spring Framework
<5.3.41, >=6.0.0 <6.0.25, >=6.1.0 <6.1.14
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

Similar to CVE-2024-38816, this CVE (CVE-2024-38819) addresses double encoding vulnerabilities in spring-webmvc and spring-webflux packages.

This issue affects multiple versions of Spring Security.

Details

Module Info

Vulnerability Info

Applications serving static resources through the functional web frameworks, WebMvc.fn or WebFlux.fn, are vulnerable to path traversal attacks. By using double URL encoding, an attacker can craft malicious HTTP requests that bypass path checks, potentially accessing any file on the file system accessible to the Spring application's process.

This vulnerability is similar to CVE-2024-38816, with the key difference being the method of attack, as double URL encoding is used to evade standard input validation.

Steps To Reproduce

Double encoding should not be allowed. We can verify that requests are blocked by modifying the ResourceHttpRequestHandlerTests test, specifically shouldRejectInvalidPath, in the Spring Framework. Updating this test in a vulnerable version will result in a failure, while it should pass in a fixed version.

@Test
public void shouldRejectInvalidPath() throws Exception {
	..
	..
	testInvalidPath("/%2E%2E/testsecret/secret.txt", handler);
	testInvalidPath("/%2E%2E/testsecret/secret.txt", handler);
	// double encoded ../ should be blocked
	testInvalidPath("%252E%252E%252F/testsecret/secret.txt", handler);
}

Credits

  • Masato Anzai of Aeye Security Lab, Inc.

Mitigation

Spring Framework 5.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2024-38819
PROJECT Affected
Spring Framework
Versions Affected
<5.3.41, >=6.0.0 <6.0.25, >=6.1.0 <6.1.14
Published date
October 30, 2024
≈ Fix date
October 30, 2024
Severity
High
Category
Path Traversal