CVE-2024-38819
Spring Path Traversal Error
Description
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
INFO
Published Date :
Dec. 19, 2024, 6:15 p.m.
Last Modified :
Jan. 10, 2025, 1:15 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Upgrade Spring Framework to version 5.3.41, 6.0.25, 6.1.14, or later.
- Upgrade Atlassian Confluence to version 7.19.30, 8.5.18, 9.1.1, 9.2.0 or later.
- Upgrade Atlassian Jira Service Management to version 5.12.19 or later.
Public PoC/Exploit Available at Github
CVE-2024-38819 has a 16 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-38819.
| URL | Resource |
|---|---|
| https://spring.io/security/cve-2024-38819 | |
| https://security.netapp.com/advisory/ntap-20250110-0010/ |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-38819 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-38819
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Dockerfile Shell Java HTML Smarty HCL
None
Java
None
Dockerfile Java
CVE POC repo 자동 수집기
Python
Smith: It's a security Agent Written with Scala 3.x
Scala Shell
Fork spring-webmvc 5.3.39 to fix CVE-2024-38816, CVE-2024-38819
Java Kotlin FreeMarker
None
CSS TypeScript JavaScript
None
HTML Python Shell
None
portfolio
CVE-2024-38819 nuclei template
None
Dockerfile Java
这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目
HTML
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-38819 vulnerability anywhere in the article.
-
Daily CyberSecurity
Spring Patches Two Flaws: SpEL Injection (CVE-2025-41253) Leaks Secrets, STOMP CSRF Bypasses WebSocket Security
VMware Tanzu’s Spring team has released fixes for two vulnerabilities impacting Spring Cloud Gateway and the Spring Framework, one of which could allow attackers to expose sensitive environment variab ... Read more
-
Cyber Security News
Adobe Security Update – Patch for Multiple Vulnerabilities Across Products
Adobe has released a comprehensive set of security updates addressing multiple vulnerabilities across twelve of its products. The patches, all released on April 8, 2025, aim to resolve critical, impor ... Read more
-
Cybersecurity News
CVE-2024-21182: PoC Exploit Code Published for Severe WebLogic Flaw
A security researcher published a proof-of-concept (PoC) exploit for CVE-2024-21182, a critical vulnerability in Oracle WebLogic Server. Rated at CVSS 7.5, this flaw exposes affected systems to potent ... Read more
-
Cybersecurity News
Is Your Network at Risk? New Report Highlights Network File System Vulnerabilities
HvS-Consulting GmbH has released an insightful report shedding light on the often-overlooked vulnerabilities of the Network File System (NFS) protocol. Widely used across platforms for remote file acc ... Read more
-
Cybersecurity News
Stealthy UEFI Bootkit Targets Windows Kernel, Raising Security Concerns
Security researchers NSG650 and Pdawg have unveiled a proof-of-concept UEFI bootkit that exploits a critical firmware function to compromise the Windows kernel during the boot process. This bootkit de ... Read more
-
Cybersecurity News
“Glic”: Google Chrome to Get Gemini Live Integration
Developers have discovered that Google appears to be planning the integration of the Gemini Live system into Chrome. This revelation comes from an X user known as Leopeva64, who delved into the Chromi ... Read more
The following table lists the changes that have been made to the
CVE-2024-38819 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 10, 2025
Action Type Old Value New Value Added Reference https://security.netapp.com/advisory/ntap-20250110-0010/ -
New CVE Received by [email protected]
Dec. 19, 2024
Action Type Old Value New Value Added Description Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Added CWE CWE-22 Added Reference https://spring.io/security/cve-2024-38819