Skip to main content

Relative Path Traversal

CVE-2024-38819

Severity High
Score 7.5/10

Summary

Applications serving static resources through the functional web frameworks "WebMvc.fn" or "WebFlux.fn" are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. This is similar to CVE-2024-38816 but with different inputs. This issue affects the org.springframework:spring-webmvc and org.springframework:spring-webflux packages in versions prior to 6.1.14.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-23 - Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Advisory Timeline

  • Published