CVE CyberSecurity Database News

CVE-2024-38819 - Path Traversal in Spring WebMvc.fn and WebFlux.fn – How Attackers Steal Your Files

Poster -

In June 2024, a serious vulnerability was discovered in the Spring Java framework: CVE-2024-38819. This bug allows attackers to read arbitrary files on the server, simply by crafting tricky HTTP requests. If you're running a Spring Boot application that serves static resources using WebMvc.fn or WebFlux.fn, your server could be wide open. In this post, I'll explain how the exploit works, how you can test it, and how to fix it — all in simple terms.

What is the Problem? (A Human Explanation)

Normally, when your Spring app serves files from a “public” folder (think images, JS, CSS), you trust it will block access to sensitive things like /etc/passwd or application.properties. But this vulnerability in Spring's functional web frameworks means attackers can trick the server into serving any file on the disk that the app user has access to.

Why Does It Happen?

Spring's fn routing APIs (WebMvc.fn and WebFlux.fn) process requests to files but fail to sanitize paths in a way that stops directory traversal (the classic ../ trick). It's basically like leaving the key to your file cabinet in the lobby.

The process running your app can read sensitive files (the default for most apps)

If you use annotation-based controllers (like @RestController), you are NOT affected by this CVE.

Suppose you want to serve files from /static. You might use

import org.springframework.web.servlet.function.RouterFunctions;
import org.springframework.web.servlet.function.ServerResponse;
import org.springframework.web.servlet.function.RouterFunction;

RouterFunction<ServerResponse> route = RouterFunctions.resources("/files/**", new ClassPathResource("static/"));

Or in WebFlux

import org.springframework.web.reactive.function.server.RouterFunctions;
import org.springframework.web.reactive.function.server.ServerResponse;
import org.springframework.web.reactive.function.server.RouterFunction;

RouterFunction<ServerResponse> route = RouterFunctions.resources("/files/**", new ClassPathResource("static/"));

If this code runs, a client can request any file by abusing the path!

## The Exploit: Stealing /etc/passwd (or anything!)

All the attacker needs is a browser, curl, or an HTTP request tool. Here’s how simple it is

curl http://your-app.example.com/files/../../../../../../etc/passwd

or, with URL encoding to bypass simple filters

curl "http://your-app.example.com/files/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd";

The server will respond with the contents of the /etc/passwd file (on Linux/Unix). On Windows, attackers might try C:\Windows\system.ini or similar files.

This also means they can steal things like application.properties, secret config files, or even random data files.

Try making a request like

GET /files/../../../../../../<secret-file>

If you get any file outside of static/, your app is vulnerable.

Spring Framework 5.3.33

Official fix info:
- Spring Blog Post
- NVD Details

Alternatively:
- Add explicit sanitization/filtering of incoming paths

Before you can upgrade, you can add a simple filter to deny .. segments in request paths

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;

public class NoPathTraversalFilter implements Filter {
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        String uri = request.getRequestURI();
        if (uri.contains("..")) {
            ((HttpServletResponse) res).sendError(400, "Path traversal attempt blocked!");
            return;
        }
        chain.doFilter(req, res);
    }
}

Add this filter to your app as a stopgap.

Is This Serious?

Yes, absolutely.

Read secret keys

- Grab customer/user data

References and More Info

- Spring Security Advisory
- National Vulnerability Database
- Spring Framework GitHub

Final Words

CVE-2024-38819 is a classic example of how tiny overlooked details (path handling!) can put an entire web application at risk. If you use Spring’s functional routing, check your version and patch ASAP. It’s a five-minute fix that could save you from serious data breaches.

Stay safe! And always keep dependencies up-to-date.


Exclusive content by GPT-4. June 2024. If you found this helpful, patch your apps and share with your team!

Timeline

Published on: 12/19/2024 18:15:10 UTC