| Summary: | CVE-2014-3625 Spring Framework: directory traversal flaw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agrimm, bdawidow, chazlett, epp-bugs, grocha, hfnukal, jpallich, juan.hernandez, kconner, ldimaggi, msrb, mweiler, pavelp, rwagner, rzhang, soa-p-jira, sparks, theute, tkirby, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | spring-webmvc 3.2.12, spring-webmvc 4.0.8, spring-webmvc 4.1.2 | Doc Type: | Bug Fix |
| Doc Text: |
A directory traversal flaw was found in the way the Spring Framework sanitized certain URLs. A remote attacker could use this flaw to obtain any file on the file system that was also accessible to the process in which the Spring web application was running.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-11 04:09:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1166217, 1166218, 1166219, 1166220, 1166221, 1166222, 1166223, 1166224, 1166225, 1166373, 1166375, 1166376 | ||
| Bug Blocks: | 1162937, 1181883, 1182419, 1194004, 1196328 | ||
|
Description
Chess Hazlett
2014-11-20 04:34:37 UTC
Upstream bug: https://jira.spring.io/browse/SPR-12354 Upstream patch commits: https://github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676 https://github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755 https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601 This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2015:0236 https://rhn.redhat.com/errata/RHSA-2015-0236.html This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html Red Hat JBoss Portal is now in Maintenance Support phase, receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the JBoss Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/ |