CVE-2024-38816: 
Wolfi vulnerability analysis and mitigation

CVE-2024-38816 is a path traversal vulnerability affecting applications that serve static resources through Spring Framework's functional web frameworks WebMvc.fn or WebFlux.fn. The vulnerability was discovered and reported by Gabor Legrady, and publicly disclosed on September 12, 2024. The affected versions include Spring Framework 5.3.0-5.3.39, 6.0.0-6.0.23, and 6.1.0-6.1.12, along with older unsupported versions (Spring Security).

The vulnerability occurs when two specific conditions are met: the web application uses RouterFunctions to serve static resources, and resource handling is explicitly configured with a FileSystemResource location. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (Spring Security, NVD).

When successfully exploited, an attacker can craft malicious HTTP requests to obtain any file on the file system that is accessible to the process running the Spring application. This leads to potential disclosure of sensitive information from the affected systems (Spring Security, NetApp Advisory).

Users of affected versions should upgrade to the corresponding fixed versions: 5.3.40 (Commercial), 6.0.24 (Commercial), or 6.1.13 (OSS). For users of older, unsupported versions, alternative mitigations include enabling Spring Security's HTTP Firewall or switching to Tomcat or Jetty as the web server. Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can utilize Spring Boot Hotfix releases 2.7.22.1, 3.0.17.1, and 3.1.13.1 (Spring Blog, Spring Security).