{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38816", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:06.582Z", "datePublished": "2024-09-13T06:10:06.598Z", "dateUpdated": "2024-09-13T13:45:05.327Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Spring Framework", "product": "Spring", "vendor": "Spring", "versions": [{"lessThan": "5.3.40", "status": "affected", "version": "5.3.x", "versionType": "enterprise Support Only"}, {"lessThan": "6.0.24", "status": "affected", "version": "6.0.x", "versionType": "enterprise Support Only"}, {"lessThan": "6.1.13", "status": "affected", "version": "6.1.x", "versionType": "OSS"}]}], "datePublic": "2024-09-12T05:20:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.</p><p>Specifically, an application is vulnerable when both of the following are true:</p><ul><li>the web application uses <code>RouterFunctions</code>&nbsp;to serve static resources</li><li>resource handling is explicitly configured with a <code>FileSystemResource</code>&nbsp;location</li></ul><p>However, malicious requests are blocked and rejected when any of the following is true:</p><ul><li>the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html\">Spring Security HTTP Firewall</a>&nbsp;is in use</li><li>the application runs on Tomcat or Jetty</li></ul><br>"}], "value": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions\u00a0to serve static resources\n * resource handling is explicitly configured with a FileSystemResource\u00a0location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html \u00a0is in use\n * the application runs on Tomcat or Jetty"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-09-13T06:10:06.598Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38816"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2024-38816: Path traversal vulnerability in functional web frameworks", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "spring_by_vmware_tanzu", "product": "spring_framework", "cpes": ["cpe:2.3:a:spring_by_vmware_tanzu:spring_framework:5.3.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.3.0", "status": "affected", "lessThan": "5.3.40", "versionType": "custom"}]}, {"vendor": "spring_by_vmware_tanzu", "product": "spring_framework", "cpes": ["cpe:2.3:a:spring_by_vmware_tanzu:spring_framework:6.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0.0", "status": "affected", "lessThan": "6.0.24", "versionType": "custom"}]}, {"vendor": "spring_by_vmware_tanzu", "product": "spring_framework", "cpes": ["cpe:2.3:a:spring_by_vmware_tanzu:spring_framework:6.1.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.1.0", "status": "affected", "lessThan": "6.1.13", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-13T13:40:55.861149Z", "id": "CVE-2024-38816", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T13:45:05.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-13T13:40:55.861149Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:spring_by_vmware_tanzu:spring_framework:5.3.0:*:*:*:*:*:*:*"], "vendor": "spring_by_vmware_tanzu", "product": "spring_framework", "versions": [{"status": "affected", "version": "5.3.0", "lessThan": "5.3.40", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:spring_by_vmware_tanzu:spring_framework:6.0.0:*:*:*:*:*:*:*"], "vendor": "spring_by_vmware_tanzu", "product": "spring_framework", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.0.24", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:spring_by_vmware_tanzu:spring_framework:6.1.0:*:*:*:*:*:*:*"], "vendor": "spring_by_vmware_tanzu", "product": "spring_framework", "versions": [{"status": "affected", "version": "6.1.0", "lessThan": "6.1.13", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T13:44:40.994Z"}}], "cna": {"title": "CVE-2024-38816: Path traversal vulnerability in functional web frameworks", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring", "versions": [{"status": "affected", "version": "5.3.x", "lessThan": "5.3.40", "versionType": "enterprise Support Only"}, {"status": "affected", "version": "6.0.x", "lessThan": "6.0.24", "versionType": "enterprise Support Only"}, {"status": "affected", "version": "6.1.x", "lessThan": "6.1.13", "versionType": "OSS"}], "packageName": "Spring Framework", "defaultStatus": "affected"}], "datePublic": "2024-09-12T05:20:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38816"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions\u00a0to serve static resources\n * resource handling is explicitly configured with a FileSystemResource\u00a0location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html \u00a0is in use\n * the application runs on Tomcat or Jetty", "supportingMedia": [{"type": "text/html", "value": "<p>Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.</p><p>Specifically, an application is vulnerable when both of the following are true:</p><ul><li>the web application uses <code>RouterFunctions</code>&nbsp;to serve static resources</li><li>resource handling is explicitly configured with a <code>FileSystemResource</code>&nbsp;location</li></ul><p>However, malicious requests are blocked and rejected when any of the following is true:</p><ul><li>the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html\">Spring Security HTTP Firewall</a>&nbsp;is in use</li><li>the application runs on Tomcat or Jetty</li></ul><br>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-09-13T06:10:06.598Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38816", "state": "PUBLISHED", "dateUpdated": "2024-09-13T13:45:05.327Z", "dateReserved": "2024-06-19T22:32:06.582Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-09-13T06:10:06.598Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions\u00a0to serve static resources\n * resource handling is explicitly configured with a FileSystemResource\u00a0location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html \u00a0is in use\n * the application runs on Tomcat or Jetty"}, {"lang": "es", "value": "Las aplicaciones que brindan recursos est\u00e1ticos a trav\u00e9s de los marcos web funcionales WebMvc.fn o WebFlux.fn son vulnerables a ataques de path traversal. Un atacante puede crear solicitudes HTTP maliciosas y obtener cualquier archivo en el sistema de archivos que tambi\u00e9n sea accesible para el proceso en el que se ejecuta la aplicaci\u00f3n Spring. Espec\u00edficamente, una aplicaci\u00f3n es vulnerable cuando se cumplen las dos condiciones siguientes: * la aplicaci\u00f3n web usa RouterFunctions para brindar recursos est\u00e1ticos * el manejo de recursos est\u00e1 configurado expl\u00edcitamente con una ubicaci\u00f3n FileSystemResource Sin embargo, las solicitudes maliciosas se bloquean y rechazan cuando se cumple alguna de las siguientes condiciones: * el firewall HTTP de Spring Security https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html est\u00e1 en uso * la aplicaci\u00f3n se ejecuta en Tomcat o Jetty"}], "id": "CVE-2024-38816", "lastModified": "2024-09-13T14:06:04.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-09-13T06:15:11.190", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2024-38816"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", "id": "2312060", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312060"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\nSpecifically, an application is vulnerable when both of the following are true:\n* the web application uses RouterFunctions\u00a0to serve static resources\n* resource handling is explicitly configured with a FileSystemResource\u00a0location\nHowever, malicious requests are blocked and rejected when any of the following is true:\n* the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html \u00a0is in use\n* the application runs on Tomcat or Jetty", "A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a FileSystemResource location."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-38816", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-09-13T06:15:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38816\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38816\nhttps://spring.io/security/cve-2024-38816"], "statement": "Path traversal vulnerabilities in applications that serve static resources via RouterFunctions and FileSystemResource pose a important security risk, as they allow attackers to bypass access controls and retrieve arbitrary files from the server's filesystem. This type of attack can lead to unauthorized exposure of sensitive data, such as configuration files, environment variables, or authentication credentials. If exploited, it can further facilitate privilege escalation, lateral movement, or remote code execution within the system. Given the broad access it grants to the server's filesystem, the potential for system compromise makes path traversal vulnerabilities a high-severity issue.", "threat_severity": "Important"}