About the Vulnerability
Introduction
The Spring Framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications—on any type of deployment platform.
Summary
On October 18, 2024, Sangfor FarSight Labs received notification that a Spring Framework component contains information of Path Traversal Vulnerability (CVE-2024-38819), classified as high in threat level.
The historical versions of the Spring Framework have a path traversal vulnerability when using WebMvc.fn or WebFlux.fn, allowing attackers to craft malicious HTTP requests to access files on the file system, leading to information disclosure.
Affected Versions
5.3.0 ≤ Spring Framework ≤ 5.3.40
6.0.0 ≤ Spring Framework ≤ 6.0.24
6.1.0 ≤ Spring Framework ≤ 6.1.13
Solutions
Official Solution
Secure versions:
Spring Framework 5.3.41
Spring Framework 6.0.25
Spring Framework 6.1.14
Affected users are strongly advised to update the Spring Framework to the latest version(5.3.41, 6.0.25, 6.1.14 or versions above).
Download link: https://github.com/spring-projects/spring-framework/tags
Sangfor Solutions
Risky Assets Detection
Support is provided for the proactive detection of Spring Framework; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:
[Sangfor CWPP] has released a detection scheme with Fingerprint ID: 0000335.
[Sangfor Host Security] has released a detection scheme with Fingerprint ID: 0000335.
Timeline
On October 18, 2024, Sangfor FarSight Labs received notification of Spring Framework Path Traversal Vulnerability.
On October 18, 2024, Sangfor FarSight Labs released a vulnerability alert.
