Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-38819Path Traversal in Vmware Spring Framework

CWE-22Path Traversal12 documents8 sources
Severity
7.5HIGHNVD
EPSS
92.9%
top 0.23%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Vmware Spring Framework
Timeline
PublishedDec 19
Latest updateOct 15

Description

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5vmware/spring_frameworkSpring Framework 5.3.0 - 5.3.40, 6.0.0 - 6.0.24, 6.1.0 - 6.1.13

🔴Vulnerability Details

4
GHSA
Spring Framework Path Traversal vulnerability2024-12-19
OSV
CVE-2024-38819: Applications serving static resources through the functional web frameworks WebMvc2024-12-19
CVEList
CVE-2024-38819: Applications serving static resources through the functional web frameworks WebMvc2024-12-19
OSV
Spring Framework Path Traversal vulnerability2024-12-19

💥Exploits & PoCs

1
Nuclei
Spring Framework Path Traversal in Functional Web Frameworks

📋Vendor Advisories

6
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Infrastructure Management (Spring Framework) — CVE-2024-388192025-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Spring Framework) — CVE-2024-388192025-07-15
Oracle
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (Spring Framework) — CVE-2024-388192025-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Install (Spring Framework) — CVE-2024-388192025-01-15
Red Hat
org.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks2024-10-17