CVE-2024-38819: 
Java vulnerability analysis and mitigation

CVE-2024-38819 is a path traversal vulnerability affecting Spring Framework's functional web frameworks WebMvc.fn and WebFlux.fn. The vulnerability was discovered and reported by Masato Anzai of Aeye Security Lab, Inc., along with an anonymous reporter, and was publicly disclosed on October 17, 2024. The vulnerability affects Spring Framework versions 5.3.0-5.3.40, 6.0.0-6.0.24, and 6.1.0-6.1.13 (Spring Security).

The vulnerability allows attackers to perform path traversal attacks when applications serve static resources through WebMvc.fn or WebFlux.fn frameworks. The vulnerability occurs specifically when both conditions are met: the web application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high severity with network accessibility and no required privileges or user interaction (Spring Security, NVD).

When successfully exploited, this vulnerability enables attackers to craft malicious HTTP requests and obtain any file on the file system that is accessible to the process running the Spring application. This leads to potential disclosure of sensitive information from the affected systems (Spring Security).

Users of affected versions should upgrade to the corresponding fixed versions: 5.3.41 (commercial), 6.0.25 (commercial), or 6.1.14 (OSS). Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can utilize Spring Boot Hotfix releases 2.7.22.2, 3.0.17.2, and 3.1.13.2, available through the Spring commercial artifact repository (Spring Blog).