CVE-2024-38819
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-38819
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework:spring-webflux | >=6.1.0,<6.1.14 | 6.1.14 |
| Maven | org.springframework:spring-webmvc | >=6.1.0,<6.1.14 | 6.1.14 |
| Maven | org.springframework:spring-webflux | <=5.3.39 | |
| Maven | org.springframework:spring-webmvc | <=5.3.39 | |
| Maven | org.springframework:spring-webflux | >=6.0.0,<=6.0.23 | |
| Maven | org.springframework:spring-webmvc | >=6.0.0,<=6.0.23 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-38819
- https://github.com/spring-projects/spring-framework/issues/33689
- https://github.com/spring-projects/spring-framework/commit/3bfbe30a7814c9ea1556d40df9bd87ddb3ba372d
- https://github.com/spring-projects/spring-framework/commit/fb7890d73975a3d9e0763e0926df2bd0a608e87e
- https://github.com/spring-projects/spring-framework
- https://security.netapp.com/advisory/ntap-20250110-0010
- https://spring.io/security/cve-2024-38819
- https://security-tracker.debian.org/tracker/CVE-2024-38819
Verify integrity in audit chain (admin only). AS-IS.