7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38819

GHSA ID

GHSA-g5vr-rgqm-vf78

EPSS Score

0.98361%

CWE

CWE-22

Published

12/19/2024

Updated

1/10/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-38819

CVE-2024-38819: Spring Framework Path Traversal vulnerability

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38819

GHSA ID

GHSA-g5vr-rgqm-vf78

EPSS Score

0.98361%

CWE

CWE-22

Published

12/19/2024

Updated

1/10/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework:spring-webflux	maven	< 6.1.14	6.1.14
org.springframework:spring-webmvc	maven	< 6.1.14	6.1.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal issue due to improper sanitization and validation of user-supplied paths when serving static resources. The patches (3bfbe30a7814c9ea1556d40df9bd87ddb3ba372d and fb7890d73975a3d9e0763e0926df2bd0a608e87e) address this by introducing and refining path normalization logic (new normalizePath and decode methods) and by strengthening validation checks in isInvalidPath methods.

The processPath methods in PathResourceLookupFunction (for WebFlux.fn and WebMvc.fn), ResourceWebHandler (WebFlux), and ResourceHttpRequestHandler (WebMvc) are directly responsible for initial path processing. The patches modify these methods to incorporate the new normalization logic. Therefore, their pre-patch versions, which lacked this normalization, are considered vulnerable as they processed potentially malicious input without adequate sanitization.

Similarly, the isInvalidPath methods in these classes contained insufficient checks to detect and block path traversal attempts (e.g., involving '..', URL-encoded characters). The patches corrected these checks. Thus, their pre-patch versions are also considered part of the vulnerability.

The functions normalizePath and decode are part of the mitigation, not the vulnerability itself. The vulnerability lies in the functions that failed to normalize or validate paths correctly before these fixes were introduced.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ppli**tions s*rvin* st*ti* r*sour**s t*rou** t** *un*tion*l w** *r*m*works W**Mv*.*n or W***lux.*n *r* vuln*r**l* to p*t* tr*v*rs*l *tt**ks. *n *tt**k*r **n *r**t m*li*ious *TTP r*qu*sts *n* o*t*in *ny *il* on t** *il* syst*m t**t is *lso ****ssi*l*

Reasoning

T** vuln*r**ility is * p*t* tr*v*rs*l issu* *u* to improp*r s*nitiz*tion *n* v*li**tion o* us*r-suppli** p*t*s w**n s*rvin* st*ti* r*sour**s. T** p*t***s (**************************************** *n* ****************************************) ***r*ss

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-38819: Spring Framework Path Traversal vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI