Vulnerability CVE-2018-1271


Published: 2018-04-06

Description:
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Pivotal software -> Spring framework 
Oracle -> Retail order broker 
Oracle -> Application testing suite 
Oracle -> Retail point-of-sale 
Oracle -> Big data discovery 
Oracle -> Retail predictive application server 
Oracle -> Communications diameter signaling router 
Oracle -> Retail returns management 
Oracle -> Enterprise manager ops center 
Oracle -> Service architecture leveraging tuxedo 
Oracle -> Goldengate for big data 
Oracle -> Tape library acsls 
Oracle -> Health sciences information manager 
Oracle -> Healthcare master person index 
Oracle -> Insurance calculation engine 
Oracle -> Insurance rules palette 
Oracle -> Primavera gateway 
Oracle -> Retail back office 
Oracle -> Retail central office 
Oracle -> Retail customer insights 
Oracle -> Retail integration bus 
Oracle -> Retail open commerce platform 

 References:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/103699
https://access.redhat.com/errata/RHSA-2018:1320
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:2939
https://pivotal.io/security/cve-2018-1271
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Copyright 2020, cxsecurity.com

 

Back to Top