Bug 1408164 (CVE-2016-9878) - CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework ResourceServlet
Summary: CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework R...
Status: NEW
Alias: CVE-2016-9878
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20161221,repor...
Keywords: Security
Depends On: 1408165
Blocks: 1408166
TreeView+ depends on / blocked
Reported: 2016-12-22 10:59 UTC by Adam Mariš
Modified: 2019-06-08 21:40 UTC (History)
63 users (show)

It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. An attacker can utilize this flaw to conduct a directory traversal attacks.
Clone Of:
Last Closed:

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3115 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security and bug fix update 2017-11-03 00:08:36 UTC

Comment 1 Adam Mariš 2016-12-22 11:00:35 UTC
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1408165]

Comment 2 Jason Shepherd 2017-01-03 00:39:55 UTC
Could not find any uses for ResourceServlet in Red Hat Mobile Application Platform. Marking as not affected.

Comment 4 Jason Shepherd 2017-01-03 01:27:52 UTC
EAP 5 is in Extended Life Support phase, so we won't fix this moderate issue on that product.

Comment 6 errata-xmlrpc 2017-11-02 20:09:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115

Note You need to log in before you can comment on or make changes to this bug.