H-ISAC TLP White Vulnerability Bulletin: Patches Released for High-Severity Vulnerability Affecting Spring Framework

Spring Framework recently disseminated a security advisory to address a path traversal vulnerability, tracked as CVE-2024-38816, in functional web frameworks. Spring Framework is a popular Java-based open-source application framework that provides a comprehensive platform for building enterprise-level applications.

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. Both are powerful tools for building web applications, and they operate as lightweight, functional programming models in which functions route and handle requests.

According to the Spring security advisory, an application is vulnerable when a web application uses Router Functions to serve static resources and resource handling is explicitly configured with a File System Resource location.

Successful exploitation will allow an adversary to craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

View the detailed bulletin below.