CVE-2024-38816: Spring Framework Path Traversal Vulnerability Threatens Millions
A serious security vulnerability, CVE-2024-38816 with a CVSS score of 7.5, has been identified in the Spring Framework, which could potentially affect millions of Java applications globally. This path traversal vulnerability allows attackers to access sensitive files on a server, leading to possible data breaches and system compromises. The issue arises when Spring Framework's static resource handling through RouterFunctions with a FileSystemResource location is exploited by specially crafted HTTP requests. Applications are protected if they use the Spring Security HTTP Firewall or run on Tomcat or Jetty, which block these malicious requests. The vulnerability affects versions 5.3.0 to 5.3.39, 6.0.0 to 6.0.23, and 6.1.0 to 6.1.12 of the Spring Framework. To mitigate the risk, organizations should upgrade to patched versions 5.3.40, 6.0.24, or 6.1.13. For those using older versions, enabling the Spring Security HTTP Firewall or switching to Tomcat or Jetty servers can provide additional protection against this vulnerability. CVEs: CVE-2024-38816 [View Article](https://securityonline.info/cve-2024-38816-spring-framework-path-traversal-vulnerability-threatens-millions/)