2312060 – (CVE-2024-38816) CVE-2024-38816 spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource

Bug 2312060 (CVE-2024-38816) - CVE-2024-38816 spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource

Summary: CVE-2024-38816 spring-webmvc: Path Traversal Vulnerability in Spring Applicat...

Keywords:
Status:	NEW
Alias:	CVE-2024-38816
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-13 06:20 UTC by OSIDB Bzimport
Modified:	2025-03-04 08:28 UTC (History)
CC List:	75 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:11023	0	None	None	None	2024-12-12 20:01:08 UTC
Red Hat Product Errata	RHSA-2024:8064	0	None	None	None	2024-10-14 15:53:48 UTC

Description OSIDB Bzimport 2024-09-13 06:20:32 UTC

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Specifically, an application is vulnerable when both of the following are true:

  *  the web application uses RouterFunctions to serve static resources
  *  resource handling is explicitly configured with a FileSystemResource location


However, malicious requests are blocked and rejected when any of the following is true:

  *  the  Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use
  *  the application runs on Tomcat or Jetty

Comment 1 errata-xmlrpc 2024-10-14 15:53:44 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.3 for Spring Boot

Via RHSA-2024:8064 https://access.redhat.com/errata/RHSA-2024:8064

Comment 2 errata-xmlrpc 2024-12-12 20:01:03 UTC

This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023

Note You need to log in before you can comment on or make changes to this bug.

adupliak
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmiranda
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
drichtar
ecerquei
fjuma
fmariani
gmalinko
gsmet
ibek
istudens
ivassile
iweiss
janstey
jkoops
jmartisk
jpoth
jrokos
jross
kaycoth
kverlaen
lgao
lthon
manderse
mnovotny
mosmerov
msochure
msvehla
nwallace
olubyans
parichar
pcongius
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
pskopek
rguimara
rkieley
rmartinc
rowaters
rruss
rstancel
rstepani
rsvoboda
saroy
sausingh
sbiarozk
sdouglas
smaestri
sthorger
tasato
tcunning
tom.jenkinson
tqvarnst
yfang