Description We are facing a Path Traversal Vulnerability (CVE-2024-38819) in our application due to the Spring Framework.
Environment Details • Spring Version: [Current Spring version] --> spring-boot-starter-web - 1.5.2.RELEASE • Java Version: [Java 8] • Dependency Management Tool: Maven • Application Context: Spring boot web application • Server: Tomcat
What We Tried • Upgrading the Spring Web Version: Attempted upgrading the version of Spring Web dependency from 4.3.7.RELEASE.jar to 4.3.30.RELEASE.jar to resolve the issue. However, the vulnerability persists.
• Higher Version of Spring Framework: Tried considering a higher version of Spring Framework, but it requires upgrading our Java version [Java 18], which is not feasible due to compatibility and operational constraints.
Request • Is there a workaround or alternative solution to address this vulnerability without upgrading the Java version? • If not, can an exception be made to skip this issue or any mitigations that can be applied at the code or configuration level? we would appreciate it if you could provide the confirmation in one of the following formats: 1. Vendor confirmation email2. Ticket updates in PDF format. 3. Confirmation published on the vendor website
Impact This vulnerability poses a security risk to our application in production, and we are looking for a solution that doesn't disrupt our existing setup.
Reference Document: Spring Framework Path Traversal Vulnerability - CVE-2024-38819.docx
Comment From: bclozel
Hello @AshishJogiAcc
I think your applications are vulnerable to many other CVEs as well. Spring Boot 1.5.x and Framework 4.x have been out of support for a while now.
It sounds like you should consider commercial support to first upgrade to a commercially supported generation.
You will find more information on the projects support page and the official support page.
Comment From: AshishJogiAcc
Hi @bclozel - Thank you for your response. Due to operational constraints, upgrading our Java version or Spring Framework is not feasible at this time. We would like to request your guidance on considering CVE-2024-38819 as a false positive for now.
Could you please advise on possible code or configuration-level mitigations? Additionally, if we need to formalize this as an exception, could you guide us on how to proceed?
We appreciate your expertise and support.
Comment From: bclozel
CVE-2024-38819 is not considered as a false positive and should be fixed in your application. I can't say whether your application is vulnerable or not, you should find all the relevant information in the official advisory.
You're asking for professional support but this issue tracker is dedicated to free open source support only.
Comment From: AshishJogiAcc
Hi @bclozel - As we are addressing CVE-2024-38819 (Path Traversal Vulnerability) in our application, we would like to confirm the required framework and Java versions for a secure resolution. Specifically, our application is running on Spring Boot 1.5.2, Spring Framework 4.3.7, and an older Java version. Could you confirm whether upgrading to a newer Java version is required to resolve this vulnerability?
If you are not the right point of contact, could you kindly direct us to someone who can confirm this for us? Additionally, if there are any official documents or advisories that confirm the necessary upgrades, that would be extremely helpful.
Comment From: bclozel
Specifically, our application is running on Spring Boot 1.5.2, Spring Framework 4.3.7, and an older Java version.
Those versions are all out of support and have numerous vulnerabilities that aren't fixed. You should consider upgrading to a commercial version as soon as possible.
If you are not the right point of contact, could you kindly direct us to someone who can confirm this for us?
Sure, you can reach out to support here.