CVE-2024-38816 – Path Traversal in Spring WebMVC

Abstract

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use * the application runs on Tomcat or Jetty

The Oxygen products incorporate Spring WebMVC as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2024-38816

Severity: High

CVSS Score: 7.5

CVE-2024-38816 is a path traversal vulnerability affecting Spring applications that serve static resources using functional endpoints. An application is vulnerable only when it both uses RouterFunctions to serve static resources and configures resource handling with a FileSystemResource location. Deployments protected by the Spring Security HTTP Firewall or running on Tomcat or Jetty block the malicious requests.

After review, Oxygen products do not meet the vulnerable conditions (no RouterFunctions used to serve static resources and services run on Tomcat). Therefore, no supported Oxygen versions are affected.