CVE-2024-38816: Path Traversal Vulnerability in WebMvc.fn and WebFlux.fn Functional Web Frameworks

A new vulnerability (CVE-2024-38816) has been identified in applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. This vulnerability allows an attacker to perform path traversal attacks by crafting malicious HTTP requests. This can lead to unauthorized access to any accessible file on the file system, potentially exposing sensitive information. This post will provide a comprehensive overview of this vulnerability, including the code snippet, links to original references, and exploit details.

Exploit Details

An application is vulnerable to this path traversal attack when both of the following conditions are met:

The resource handling is explicitly configured with a FileSystemResource location.

It is important to note that malicious requests will be blocked and rejected if any of the following conditions are met:

1. The Spring Security HTTP Firewall (https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html) is in use.

The following code snippet demonstrates the configuration of a vulnerable application

import org.springframework.web.reactive.function.server.RouterFunction;
import org.springframework.web.reactive.function.server.RouterFunctions;
import org.springframework.web.reactive.function.server.ServerResponse;
import static org.springframework.http.MediaType.APPLICATION_OCTET_STREAM;

@Configuration
public class WebConfig {

    @Bean
    public RouterFunction<ServerResponse> staticResourceRouter() {
        return RouterFunctions.resources("/**", new FileSystemResource("static/"));
    }

}

Possible Exploit Scenario

Suppose an attacker has identified that a specific application is vulnerable to this path traversal attack. They can craft a malicious HTTP request like the following:

http://example.com/..%2F..%2F..%2F..%2F..%2F../etc/passwd

Since this request is crafted with URL-encoded "../" sequences, it will bypass validation and access the server's file system. As a result, the attacker can access the /etc/passwd file, which contains sensitive information such as system user accounts.

Implement the Spring Security HTTP Firewall. This will block and reject any malicious requests.

2. Consider running the application on Tomcat or Jetty if possible, as these platforms are not affected by this vulnerability.

References

* Spring Security HTTP Firewall: https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html
* CVE-2024-38816 on the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-38816

Conclusion

The CVE-2024-38816 vulnerability exposes applications using WebMvc.fn or WebFlux.fn functional web frameworks to path traversal attacks. This can lead to unauthorized access to sensitive files on the file system. To mitigate this vulnerability, developers should implement the Spring Security HTTP Firewall and consider running their applications on Tomcat or Jetty. Stay vigilant and keep your applications secure!

Timeline

Published on: 09/13/2024 06:15:11 UTC
Last modified on: 09/13/2024 14:06:04 UTC