Spring Framework has been identified with a new path traversal vulnerability, poses a significant risk to applications serving static resources via WebMvc.fn or WebFlux.fn functional web frameworks.
The vulnerability tracked as CVE-2024-38819 with a CVSS score of 7.5, arises when static resources are served through the functional web frameworks of Spring, WebMvc.fn and WebFlux.fn. By crafting malicious HTTP requests, attackers can exploit this vulnerability to access files that are readable by the same process running the Spring application.
By exploiting this vulnerability, threat actors might retrieve files that contain sensitive information such as configuration files, logs, or even credentials.
Affected versions include the below
- 5.3.0 to 5.3.40
- 6.0.0 to 6.0.24
- 6.1.0 to 6.1.13
- Older, unsupported versions of Spring are also vulnerable.
Spring Framework has released patches. Users running affected versions are strongly advised to upgrade immediately to the following fixed versions:
- 5.3.x users should upgrade to 5.3.41
- 6.0.x users should upgrade to 6.0.25
- 6.1.x users should upgrade to 6.1.14
