CVE-2024-38819

Name of the Vulnerable Software and Affected Versions: Spring Framework versions prior to 5.3.41 Spring Framework versions prior to 6.0.25 Spring Framework versions prior to 6.1.14 Confluence Data Center and Server versions 3.0 through 9.1.0 Confluence Data Center and Server version 9.1 Bitbucket Data Center and Server versions 8.9.0 through 8.9.23 Bitbucket Data Center and Server versions 8.19.0 through 8.19.12 Bitbucket Data Center and Server version 8.9 Bitbucket Data Center and Server version 8.19 Bitbucket Data Center and Server version 9.4

Description: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Over 31,900 services are potentially affected by this vulnerability.

Recommendations: For Spring Framework versions prior to 5.3.41, update to version 5.3.41 or later. For Spring Framework versions prior to 6.0.25, update to version 6.0.25 or later. For Spring Framework versions prior to 6.1.14, update to version 6.1.14 or later. For Confluence Data Center and Server version 9.1, upgrade to a release greater than or equal to 9.1.1. For Bitbucket Data Center and Server version 8.9, upgrade to a release greater than or equal to 8.9.24. For Bitbucket Data Center and Server version 8.19, upgrade to a release greater than or equal to 8.19.13. For Bitbucket Data Center and Server version 9.4, upgrade to a release greater than or equal to 9.4.0. As a temporary workaround, consider restricting access to sensitive files and directories by implementing proper file permissions. Conduct a vulnerability scan to ensure no other instances are running vulnerable versions.