CVE-2024-38816
Published: 13 September 2024
Summary
CVE-2024-38816 is a high-severity Path Traversal (CWE-22) vulnerability in Spring Security HTTP (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-38816 is a path traversal vulnerability affecting Spring applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. It is present when an application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location, allowing crafted requests to access arbitrary files readable by the Spring process. The issue carries a CVSS 3.1 score of 7.5 and is classified under CWE-22.
An unauthenticated remote attacker can exploit the flaw by sending malicious HTTP requests to read sensitive files from the underlying filesystem. Exploitation succeeds only in the specific RouterFunctions plus FileSystemResource configuration; requests are blocked when the Spring Security HTTP Firewall is enabled or when the application runs on Tomcat or Jetty.
The official Spring advisory at spring.io/security/cve-2024-38816 and the NetApp advisory NTAP-20241227-0001 both highlight these environmental mitigations and recommend reviewing static-resource configurations or enabling the firewall. The associated EPSS score remains near 0.94 with no material change between current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2776
Vulnerability details
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process…
more
in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.