Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-38816
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
CVE-2024-38816: Path traversal vulnerability in functional web frameworks
Source: NVD (National Vulnerability Database)
Vulnerability Description
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use * the application runs on Tomcat or Jetty
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring Framework 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring Framework是美国威睿(VMware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 VMware Spring Framework存在安全漏洞,该漏洞源于存在目录遍历漏洞,允许攻击者通过精心构造的HTTP请求访问或操作服务器上本不应该被访问的文件。受影响版本如下:5.3.0至5.3.39版本、6.0.0至6.0.23版本和6.1.0至6.1.12版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
SpringSpring 5.3.x ~ 5.3.40 -
II. Public POCs for CVE-2024-38816
#POC DescriptionSource LinkShenlong Link
1Nonehttps://github.com/weliveby/cve-2024-38816-demoPOC Details
2CVE-2024-38816 Proof of Concepthttps://github.com/masa42/CVE-2024-38816-PoCPOC Details
3CVE-2024-38816 Proof of Concepthttps://github.com/WULINPIN/CVE-2024-38816-PoCPOC Details
4Nonehttps://github.com/startsw1th/cve-2024-38816-demoPOC Details
5Nonehttps://github.com/Galaxy-system/cve-2024-38816POC Details
6 CVE-2024-38816https://github.com/Anthony1078/App-vulnerablePOC Details
7Fixed cve-2024-38816 based on version 5.3.39https://github.com/wdragondragon/spring-frameworkPOC Details
8Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38816.yamlPOC Details
9Fork spring-webmvc 5.3.39 to fix CVE-2024-38816, CVE-2024-38819https://github.com/jaloon/spring-webmvc5POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2024-38816
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Spring
Same vendor: Spring
V. Comments for CVE-2024-38816

No comments yet

Leave a comment