Bug 1571050 (CVE-2018-1271)

Summary: CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, apevec, bmaxwell, cdewolf, chazlett, chrisw, csutherl, darran.lofthouse, dffrench, dimitris, dosoudil, drieden, drusso, etirelli, gvarsami, ibek, java-sig-commits, jawilson, jcoleman, jjoyce, jmadigan, jolee, jschatte, jschluet, jshepherd, jstastny, kbasil, kconner, kverlaen, ldimaggi, lef, lgao, lgriffin, lhh, lpeer, lpetrovi, markmc, mburns, mkolesni, myarboro, ngough, nwallace, paradhya, pgier, psakar, pslavice, puntogil, pwright, rbryant, rhel8-maint, rnetuka, rrajasek, rsvoboda, rsynek, rwagner, rzhang, sclewis, sdaley, sisharma, slinaber, ssaha, tcunning, tdecacqu, tkirby, trepel, twalsh, vbellur, vhalbert, vtunka, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180405,reported=20180424,source=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N,cwe=CWE-22,fedora-all/springframework=notaffected,rhel-8/springframework=notaffected,fsw-6/spring=wontfix,fuse-6/spring=wontfix,jdv-6/spring=affected,brms-5/spring=wontfix,soap-5/spring=affected,openstack-9/opendaylight=notaffected,openstack-10/opendaylight=notaffected,openstack-11/opendaylight=notaffected,openstack-12/opendaylight=notaffected,openstack-13/opendaylight=notaffected,rhes-3/rhevm-dependencies=notaffected,amq-6/spring=affected,eap-5/spring=wontfix,rhmap-4/spring=notaffected,fis-2/spring=affected,fuse-7/spring=affected
Fixed In Version: springframework 5.05, springframework 4.3.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:20:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1700953, 1700986    
Bug Blocks: 1571053    

Description Sam Fowler 2018-04-24 02:38:14 UTC
Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

This vulnerability does not affect applications that use versions of Spring Security patched for CVE-2018-1199. 


External Reference:

https://pivotal.io/security/cve-2018-1271

Comment 3 errata-xmlrpc 2018-05-03 17:06:58 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2018:1320 https://access.redhat.com/errata/RHSA-2018:1320

Comment 5 errata-xmlrpc 2018-09-11 07:54:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669

Comment 6 errata-xmlrpc 2018-10-17 19:29:59 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939

Comment 11 Joshua Padman 2019-05-16 13:31:29 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss BRMS 5
 * Red Hat Enterprise Application Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.