-
Bug
-
Resolution: Fixed
-
High
-
7.19.0, 8.5.0, 9.1.1
-
7
-
Severity 3 - Minor
-
3
-
Issue Summary
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Reference: https://spring.io/security/cve-2024-38819
This is similar to CVE-2024-38816 but with different inputs.
- follows
-
VULN-1460611 Failed to load
[CONFSERVER-98564] CVE-2024-38819: Path traversal vulnerability in org.springframework:spring-webmvc used by Confluence Data Center
Hi ,
we upgraded confluence data center 9.1.0 to 9.2.0 version, but we found /opt/confluence/atlassian/confluence/synchrony-proxy/WEB-INF/lib/spring-webmvc-5.3.39-atlassian-3.jar is still in use. As per this page CVE-2024-38819: Path traversal vulnerability in functional web frameworks (2nd report) fixed in 5.3.41.
How to fix issue
Relevant other ticket about the same CVE in Confluence: CONFSERVER-98842
According to spring the fix version for 5.3.x is 5.3.41 but our systems are detecting that as of 8.9.5 of confluence atlassian-confluence-8.9.5/synchrony-proxy/WEB-INF/lib/spring-webmvc-5.3.34.jar is still in use. Should this ticket be updated to reflect these because when I searched confluence CVE-2024-38819 this ticket was my first result which the affected versions and fix versions don't match what I'm seeing in my systems.
A fix for this issue is available in Confluence Server and Data Center 8.5.18. Upgrade now or check out the Release Notes to see what other issues are resolved.
This is still a problem in 8.5.19, where CONFLUENCE_INSTALL/synchrony-proxy/WEB-INF/lib/spring-webmvc-5.3.39-atlassian-3.jar is still installed.