AIKIDO-2024-10351

spring-webmvc is vulnerable to Path Traversal

High

spring-webmvc java

AIKIDO-2024-10351: spring-webmvc is vulnerable to Path Traversal in versions 0.0.1 - 5.3.40, 6.0.0 - 6.0.24 and 6.1.0 - 6.1.13.

Path Traversal

Vuln in 0.0.1 - 5.3.40

Fixed in 5.3.41

Vuln in 6.0.0 - 6.0.24

Fixed in 6.0.25

Vuln in 6.1.0 - 6.1.13

Fixed in 6.1.14

CVE-2024-38819

TL;DR

Affected versions of the package are vulnerable to Path Traversal. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Who does this affect?

You're affected if you are using a version which is within vulnerability ranges.

How can it be fixed?

Upgrade spring-webmvc library to patch version.

Background info

Link to vendor website

🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium

🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US

AIKIDO-2024-10351

spring-webmvc is vulnerable to Path Traversal

spring-webmvc java

AIKIDO-2024-10351: spring-webmvc is vulnerable to Path Traversal in versions 0.0.1 - 5.3.40, 6.0.0 - 6.0.24 and 6.1.0 - 6.1.13.

Don’t be left in the dark