#VU98796 Path traversal in Pivotal Spring Framework - CVE-2024-38819


| Updated: 2024-12-19

Vulnerability identifier: #VU98796

Vulnerability risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-38819

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Pivotal Spring Framework
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pivotal Spring Framework: 5.3.22 - 5.3.40, 6.0.21 - 6.0.24, 6.1.8 - 6.1.13, 6.2.0-M2 - 6.2.0 RC1

External links
https://spring.io/security/cve-2024-38819

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Operational Decision Manager
Bitbucket Data Center and Server update for Pivotal Spring Framework
Multiple vulnerabilities in Cloudera Observability on Premises with IBM
Multiple vulnerabilities in IBM DevOps Solution Workbench
IBM Spectrum Symphony update for spring webmvc
Multiple vulnerabilities in Oracle Solaris Cluster
Multiple vulnerabilities in Oracle Healthcare Data Repository
Path traversal in Oracle Enterprise Manager for Fusion Middleware
Multiple vulnerabilities in Oracle WebLogic Server
Multiple vulnerabilities in Oracle Healthcare Master Person Index