Why did we take our current approach to CVE-2024-38819?
CVE-2024-38819 details a path traversal vulnerability in Spring. Per Spring’s advisory on the matter(https://spring.io/security/cve-2024-38819)-
“Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
This is similar to CVE-2024-38816, but with different input”.
RadiantOne IDDM does not serve static resources through either WebMvc.fn or WebFlux.fn, and therefore is not impacted by this vulnerability.
Is there additional context around this exploit?
There are plenty of articles on this topic, but there are no specific proof of concepts out for 38819. That said, there is a Github repo that offers insight as to the vulnerability proper as well as a public proof of concept for the related 38816. https://github.com/WULINPIN/CVE-2024-38816-PoC details the exploit for 38816. Given the similarities (But with different inputs) it stands to reason a similarly crafted attack could be used to exploit the vulnerability.
Is RadiantOne IDDM going to have an updated version of Spring?
We are currently testing RadiantOne IDDM with the latest release of the Spring Framework (5.3.41). This update will be released that contains these updated libraries. It is being targeted for 7.4.13 and for respective releases of version 8.
Is Radiant Logic’s SaaS offering for IDDM impacted by this vulnerability?
Radiant Logic IDDM is not impacted for reasons stated above, but an update to the SaaS offering for IDDM will be released that encompasses the Spring Security update.
Is Identity Analytics Impacted by This?
Identity Analytics does not serve static resources through either WebMvc.fn or WebFlux.fn, and therefore is not impacted by this vulnerability.
Is CFS Impacted by This?
No, CFS is a .NET product that does not use any Java libraries.
Comments
Article is closed for comments.