Bug 1571050 (CVE-2018-1271)

Summary: CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, apevec, bmaxwell, cdewolf, chazlett, chrisw, csutherl, darran.lofthouse, dffrench, dimitris, dosoudil, drieden, drusso, etirelli, gvarsami, ibek, java-sig-commits, jawilson, jcoleman, jjoyce, jmadigan, jolee, jschatte, jschluet, jshepherd, jstastny, kbasil, kconner, kverlaen, ldimaggi, lef, lgao, lgriffin, lhh, lpeer, lpetrovi, markmc, mburns, mkolesni, myarboro, ngough, nwallace, paradhya, pgier, psakar, pslavice, puntogil, pwright, rbryant, rhel8-maint, rnetuka, rrajasek, rsvoboda, rsynek, rwagner, rzhang, sclewis, sdaley, sisharma, slinaber, ssaha, tcunning, tdecacqu, tkirby, trepel, twalsh, vbellur, vhalbert, vtunka, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: springframework 5.05, springframework 4.3.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:20:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1700953, 1700986    
Bug Blocks: 1571053    

Description Sam Fowler 2018-04-24 02:38:14 UTC 
Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

This vulnerability does not affect applications that use versions of Spring Security patched for CVE-2018-1199. 


External Reference:

https://pivotal.io/security/cve-2018-1271
Comment 3 errata-xmlrpc 2018-05-03 17:06:58 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2018:1320 https://access.redhat.com/errata/RHSA-2018:1320
Comment 4 Riccardo Schirone 2018-05-22 08:25:04 UTC 
Patch:
https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab
Comment 5 errata-xmlrpc 2018-09-11 07:54:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669
Comment 6 errata-xmlrpc 2018-10-17 19:29:59 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
Comment 11 Joshua Padman 2019-05-16 13:31:29 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss BRMS 5
 * Red Hat Enterprise Application Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 14 Jonathan Christison 2020-03-11 14:14:57 UTC 
This vulnerability is out of security support scope for the following product:
 * SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.