Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 03:59
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html - Patch, Third Party Advisory | |
References | () http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html - Patch, Third Party Advisory | |
References | () http://www.securityfocus.com/bid/103699 - Third Party Advisory, VDB Entry | |
References | () https://access.redhat.com/errata/RHSA-2018:1320 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2018:2669 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2018:2939 - Third Party Advisory | |
References | () https://pivotal.io/security/cve-2018-1271 - Vendor Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2020.html - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2021.html - Third Party Advisory | |
References | () https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html - Patch, Third Party Advisory |
Information
Published : 2018-04-06 13:29
Updated : 2024-11-21 03:59
NVD link : CVE-2018-1271
Mitre link : CVE-2018-1271
CVE.ORG link : CVE-2018-1271
JSON object : View
Products Affected
oracle
- communications_services_gatekeeper
- primavera_gateway
- communications_policy_management
- communications_converged_application_server
- rapid_planning
- healthcare_master_person_index
- application_testing_suite
- retail_order_broker
- retail_point-of-sale
- retail_back_office
- communications_performance_intelligence_center
- service_architecture_leveraging_tuxedo
- retail_central_office
- insurance_rules_palette
- big_data_discovery
- retail_open_commerce_platform
- enterprise_manager_ops_center
- goldengate_for_big_data
- health_sciences_information_manager
- insurance_calculation_engine
- communications_diameter_signaling_router
- retail_integration_bus
- retail_predictive_application_server
- tape_library_acsls
- retail_customer_insights
- retail_xstore_point_of_service
- retail_returns_management
vmware
- spring_framework
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')