Plattform
java
Komponente
org.springframework:spring-webflux
Behoben in
5.3.1
6.1.14
CVE-2024-38819 describes a Path Traversal vulnerability affecting Spring Webflux. This flaw allows attackers to potentially access sensitive files on the server's filesystem by crafting malicious HTTP requests. The vulnerability impacts versions of Spring Webflux up to and including 6.1.9. A fix is available in version 6.1.14.
An attacker exploiting CVE-2024-38819 can craft malicious HTTP requests to access files outside of the intended static resource directory. This could include configuration files, source code, or other sensitive data stored on the server. The potential impact is significant, as an attacker could gain access to credentials, API keys, or proprietary information. The blast radius extends to any application utilizing Spring Webflux's static resource serving capabilities, particularly those serving user-uploaded content or relying on dynamic file paths. Successful exploitation could lead to data breaches, system compromise, and reputational damage.
CVE-2024-38819 was publicly disclosed on December 19, 2024. There are currently no known public exploits, but the vulnerability's ease of exploitation makes it a likely target for attackers. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is amplified by the widespread use of Spring Framework in enterprise applications.
Organizations deploying Spring Boot applications that serve static resources using WebMvc.fn or WebFlux.fn are at risk, particularly those running versions of Spring Webflux prior to 6.1.14. Shared hosting environments where multiple applications share the same server and file system are especially vulnerable, as a compromise of one application could potentially expose files belonging to others.
• java / server:
find / -name "spring-webflux*.jar" -exec grep -i "WebMvc.fn" {} \;• generic web:
curl -I 'http://your-server/../../../../etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
74.50% (99% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-38819 is to upgrade to Spring Webflux version 6.1.14 or later. If immediate upgrading is not feasible, consider implementing stricter file access controls and input validation to limit the attacker's ability to manipulate file paths. Web Application Firewalls (WAFs) configured with rules to block path traversal attempts can provide an additional layer of defense. Review and restrict the permissions granted to the process running the Spring application to minimize the potential impact of a successful exploit. Monitor access logs for suspicious file requests.
Actualice a la versión del Spring Framework que corrige esta vulnerabilidad. Consulte el anuncio de seguridad de Spring para obtener detalles sobre las versiones afectadas y las versiones corregidas. Considere aplicar las mitigaciones recomendadas por Spring si la actualización no es posible de inmediato.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-38819 is a Path Traversal vulnerability affecting Spring Webflux versions up to 6.1.9, allowing attackers to access files on the server's filesystem.
You are affected if you are using Spring Webflux versions 6.1.9 or earlier and serve static resources using WebMvc.fn or WebFlux.fn.
Upgrade to Spring Webflux version 6.1.14 or later. Implement WAF rules to filter malicious path traversal attempts as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted soon.
Refer to the Spring Security Vulnerability Updates page for the latest information: https://security.spring.io/.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.