Podatność CVE-2018-1271


Publikacja: 2018-04-06

Opis:
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Typ:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
4.3/10
2.9/10
8.6/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Średnia
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Brak
Brak
Affected software
Pivotal software -> Spring framework 
Oracle -> Retail open commerce platform 
Oracle -> Retail order broker 
Oracle -> Application testing suite 
Oracle -> Retail point-of-sale 
Oracle -> Big data discovery 
Oracle -> Retail predictive application server 
Oracle -> Communications diameter signaling router 
Oracle -> Retail returns management 
Oracle -> Enterprise manager ops center 
Oracle -> Service architecture leveraging tuxedo 
Oracle -> Goldengate for big data 
Oracle -> Tape library acsls 
Oracle -> Health sciences information manager 
Oracle -> Healthcare master person index 
Oracle -> Insurance calculation engine 
Oracle -> Insurance rules palette 
Oracle -> Primavera gateway 
Oracle -> Retail back office 
Oracle -> Retail central office 
Oracle -> Retail customer insights 
Oracle -> Retail integration bus 

 Referencje:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/103699
https://access.redhat.com/errata/RHSA-2018:1320
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:2939
https://pivotal.io/security/cve-2018-1271
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Copyright 2024, cxsecurity.com

 

Back to Top