Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
References
Link | Resource |
---|---|
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | Patch Third Party Advisory |
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | Patch Third Party Advisory |
http://www.securityfocus.com/bid/103699 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:1320 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:2669 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2018:2939 | Third Party Advisory |
https://pivotal.io/security/cve-2018-1271 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpujul2020.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
No history.
Information
Published : 2018-04-06 13:29
Updated : 2024-02-28 16:25
NVD link : CVE-2018-1271
Mitre link : CVE-2018-1271
CVE.ORG link : CVE-2018-1271
JSON object : View
Products Affected
oracle
- communications_converged_application_server
- insurance_calculation_engine
- rapid_planning
- goldengate_for_big_data
- tape_library_acsls
- retail_order_broker
- retail_returns_management
- health_sciences_information_manager
- retail_xstore_point_of_service
- retail_back_office
- communications_services_gatekeeper
- communications_policy_management
- retail_open_commerce_platform
- service_architecture_leveraging_tuxedo
- application_testing_suite
- retail_predictive_application_server
- retail_integration_bus
- retail_point-of-sale
- healthcare_master_person_index
- enterprise_manager_ops_center
- retail_central_office
- insurance_rules_palette
- primavera_gateway
- big_data_discovery
- communications_performance_intelligence_center
- retail_customer_insights
- communications_diameter_signaling_router
vmware
- spring_framework
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')