Spring Framework Vulnerability Let Attackers obtain Any Files from the System

A newly discovered vulnerability in the Spring Framework has been identified, potentially allowing attackers to access any file on the system.

This vulnerability tracked as CVE-2024-38816, affects applications using the functional web frameworks WebMvc.fn or WebFlux.fn. It is classified as a path traversal vulnerability and poses a high risk to affected systems.

CVE-2024-38816-The Vulnerability

The vulnerability, CVE-2024-38816, arises when applications serve static resources using RouterFunctions combined with a FileSystemResource location.

This configuration can be exploited by attackers who craft malicious HTTP requests to gain unauthorized access to system files.

The vulnerability is particularly concerning as it can expose sensitive data and compromise system integrity.

However, not all systems using the Spring Framework are vulnerable. Applications that employ the Spring Security HTTP Firewall or run on Tomcat or Jetty servers are protected against these malicious requests. These configurations effectively block and reject attempts to exploit the vulnerability.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Affected Spring Products and Versions

The following versions of the Spring Framework are affected by this vulnerability:

• Spring Framework 5.3.0 – 5.3.39
• Spring Framework 6.0.0 – 6.0.23
• Spring Framework 6.1.0 – 6.1.12

Older, unsupported versions of the Spring Framework are also vulnerable to this issue.

To address this critical vulnerability, users of affected versions should upgrade to the corresponding fixed version as outlined below:

Affected Version(s)	Fix Version	Availability
5.3.x	5.3.40	Enterprise Support Only
6.0.x	6.0.24	Enterprise Support Only
6.1.x	6.1.13	Open Source (OSS)

For users of older, unsupported versions, enabling Spring Security’s Firewall in their application or switching to Tomcat or Jetty as a web server can be effective mitigation strategies since these configurations automatically reject malicious requests.

As this vulnerability poses a significant risk of unauthorized file access, it is crucial for organizations using affected versions of the Spring Framework to take immediate action by upgrading to secure versions or implementing recommended mitigation measures.

Staying vigilant and proactive in addressing such vulnerabilities is essential in maintaining robust cybersecurity defenses. 

Developers and system administrators are urged to review their configurations and ensure that appropriate security measures are in place to safeguard their applications from potential exploitation through CVE-2024-38816.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar