Relative Path Traversal
CVE-2024-38819
Summary
Applications serving static resources through the functional web frameworks "WebMvc.fn" or "WebFlux.fn" are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. This is similar to CVE-2024-38816 but with different inputs. This issue affects the org.springframework:spring-webmvc and org.springframework:spring-webflux packages in versions prior to 6.1.14.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-23 - Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
References
Advisory Timeline
- Published