SB2024101781 - Multiple vulnerabilities in Spring Framework

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2024-38819)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

2) Security features bypass (CVE-ID: CVE-2024-38820)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to String.toLowerCase() has some Locale dependent exceptions when handling case insensitive patterns in DataBinder. A remote attacker can bypass implemented security restrictions by passing specially crafted data to the application.

Remediation

Install update from vendor's website.

References

• https://spring.io/security/cve-2024-38819
• https://spring.io/security/cve-2024-38820