A high severity vulnerability has been discovered in the Spring Framework, that allows attackers to gain unauthorized access to sensitive files on the server, posing a significant risk of data breaches and system compromise.
The vulnerability tracked as CVE-2024-38816 with a CVSS score of 7.5 lies in handling the static resources served through the functional web frameworks WebMvc.fn or WebFlux.fn. By crafting malicious HTTP requests, attackers can bypass security measures and retrieve arbitrary files from the server’s file system, including configuration files, source code, and user data.
Specifically, an application is vulnerable when both of the following are true:
- The web application uses RouterFunctions to serve static resources
- Resource handling is explicitly configured with a FileSystemResource location
However, malicious requests are blocked and rejected when any of the following is true:
- The Spring Security HTTP Firewall is in use
- The application runs on Tomcat or Jetty
The impact of the CVE-2024-38816 vulnerability is far-reaching, as Spring Framework is widely adopted across various industries and applications. Any application using the affected versions of Spring Framework (5.3.0 to 5.3.39, 6.0.0 to 6.0.23, and 6.1.0 to 6.1.12) and serving static resources through the vulnerable components is at risk.
The Spring team has released patched versions to address this vulnerability. It is crucial for organizations to upgrade their Spring Framework installations to the latest versions immediately.
