{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38819", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:06.583Z", "datePublished": "2024-12-19T17:15:12.704Z", "dateUpdated": "2025-01-10T13:06:45.393Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Spring Framework", "vendor": "N/A", "versions": [{"status": "affected", "version": "Spring Framework 5.3.0 - 5.3.40, 6.0.0 - 6.0.24, 6.1.0 - 6.1.13"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.</span>"}], "value": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-12-19T17:15:12.704Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38819"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-20T17:53:51.980313Z", "id": "CVE-2024-38819", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T17:54:04.143Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250110-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-10T13:06:45.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250110-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-10T13:06:45.393Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-20T17:53:51.980313Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T17:53:58.979Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "N/A", "product": "Spring Framework", "versions": [{"status": "affected", "version": "Spring Framework 5.3.0 - 5.3.40, 6.0.0 - 6.0.24, 6.1.0 - 6.1.13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2024-38819"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-12-19T17:15:12.704Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38819", "state": "PUBLISHED", "dateUpdated": "2025-01-10T13:06:45.393Z", "dateReserved": "2024-06-19T22:32:06.583Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-12-19T17:15:12.704Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running."}, {"lang": "es", "value": "Las aplicaciones que ofrecen recursos est\u00e1ticos a trav\u00e9s de los marcos web funcionales WebMvc.fn o WebFlux.fn son vulnerables a ataques de path traversal. Un atacante puede manipular solicitudes HTTP maliciosas y obtener cualquier archivo del sistema de archivos al que tambi\u00e9n pueda acceder el proceso en el que se ejecuta la aplicaci\u00f3n Spring."}], "id": "CVE-2024-38819", "lastModified": "2025-01-10T13:15:09.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-12-19T18:15:10.557", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2024-38819"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250110-0010/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10700", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.8", "package": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel 4.8 for Spring Boot", "release_date": "2024-12-02T00:00:00Z"}], "bugzilla": {"description": "org.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks", "id": "2327614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327614"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.", "A flaw was found in the Spring Framework. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. This flaw allows an attacker to craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-38819", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.springframework/spring-webmvc", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.springframework/spring-webmvc", "product_name": "streams for Apache Kafka"}], "public_date": "2024-10-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38819\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38819"], "statement": "This vulnerability is of important severity because it enables path traversal attacks that allow unauthorized access to arbitrary files on the server. Exploiting this flaw could expose sensitive information such as application configuration files, authentication credentials, or environment secrets, potentially compromising the entire system. Moreover, if the application process has elevated privileges, an attacker could access system files or even gain further control over the server.", "threat_severity": "Important"}