Plateforme
java
Composant
org.springframework:spring-webflux
Corrigé dans
5.3.1
6.1.14
CVE-2024-38819 describes a Path Traversal vulnerability affecting Spring Webflux. This flaw allows attackers to potentially access sensitive files on the server's filesystem by crafting malicious HTTP requests. The vulnerability impacts versions of Spring Webflux up to and including 6.1.9. A fix is available in version 6.1.14.
The core of this vulnerability lies in how Spring Webflux handles static resource requests through its functional web frameworks, WebMvc.fn and WebFlux.fn. An attacker can exploit this by manipulating the request path to bypass intended access controls. This allows them to read arbitrary files accessible to the Spring application's process, potentially including configuration files, source code, or even sensitive data like database credentials. The blast radius is significant, as successful exploitation could lead to complete compromise of the server and its data. While no direct precedent is immediately obvious, the underlying mechanism shares similarities with other path traversal vulnerabilities where improper input validation allows access to unauthorized resources.
CVE-2024-38819 was publicly disclosed on December 19, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the widespread use of Spring Webflux. Monitor security advisories and vulnerability databases for updates.
Organizations deploying Spring Boot applications that serve static resources using WebMvc.fn or WebFlux.fn are at risk, particularly those running versions of Spring Webflux prior to 6.1.14. Shared hosting environments where multiple applications share the same server and file system are especially vulnerable, as a compromise of one application could potentially expose files belonging to others.
• java / server:
find / -name "spring-webflux*.jar" -exec grep -i "WebMvc.fn" {} \;• generic web:
curl -I 'http://your-server/../../../../etc/passwd' # Attempt path traversaldisclosure
Statut de l'Exploit
EPSS
74.50% (percentile 99%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to Spring Webflux version 6.1.14 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to filter out malicious path traversal attempts. Specifically, look for patterns involving directory traversal sequences like ../ or encoded equivalents. Additionally, review your application's static resource configuration to ensure that access controls are properly enforced and that only authorized files are served. After upgrading, verify the fix by attempting to access a file outside the intended static resource directory using a crafted HTTP request; the request should be denied.
Actualice a la versión del Spring Framework que corrige esta vulnerabilidad. Consulte el anuncio de seguridad de Spring para obtener detalles sobre las versiones afectadas y las versiones corregidas. Considere aplicar las mitigaciones recomendadas por Spring si la actualización no es posible de inmediato.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-38819 is a Path Traversal vulnerability affecting Spring Webflux versions up to 6.1.9, allowing attackers to access files on the server's filesystem.
You are affected if you are using Spring Webflux versions 6.1.9 or earlier and serve static resources using WebMvc.fn or WebFlux.fn.
Upgrade to Spring Webflux version 6.1.14 or later. Implement WAF rules to filter malicious path traversal attempts as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted soon.
Refer to the Spring Security Vulnerability Updates page for the latest information: https://security.spring.io/.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.