Path traversal vulnerability in functional web frameworks
High severity
GitHub Reviewed
Published
Sep 13, 2024
to the GitHub Advisory Database
•
Updated Sep 13, 2024
Package
Affected versions
>= 6.1.0, < 6.1.13
>= 6.0.0, < 6.0.24
< 5.3.40
Patched versions
6.1.13
6.0.24
5.3.40
Description
Published by the National Vulnerability Database
Sep 13, 2024
Published to the GitHub Advisory Database
Sep 13, 2024
Reviewed
Sep 13, 2024
Last updated
Sep 13, 2024
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
However, malicious requests are blocked and rejected when any of the following is true:
References