Bug 1571050 (CVE-2018-1271) - CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Summary: CVE-2018-1271 spring-framework: Directory traversal vulnerability with static...
Status: NEW
Alias: CVE-2018-1271
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180405,repor...
Keywords: Security
Depends On: 1700953 1700986
Blocks: 1571053
TreeView+ depends on / blocked
 
Reported: 2018-04-24 02:38 UTC by Sam Fowler
Modified: 2019-05-16 13:31 UTC (History)
73 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1320 None None None 2018-05-03 17:07 UTC
Red Hat Product Errata RHSA-2018:2669 None None None 2018-09-11 07:55 UTC
Red Hat Product Errata RHSA-2018:2939 None None None 2018-10-17 19:30 UTC

Description Sam Fowler 2018-04-24 02:38:14 UTC
Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

This vulnerability does not affect applications that use versions of Spring Security patched for CVE-2018-1199. 


External Reference:

https://pivotal.io/security/cve-2018-1271

Comment 3 errata-xmlrpc 2018-05-03 17:06:58 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2018:1320 https://access.redhat.com/errata/RHSA-2018:1320

Comment 5 errata-xmlrpc 2018-09-11 07:54:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669

Comment 6 errata-xmlrpc 2018-10-17 19:29:59 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939

Comment 11 Joshua Padman 2019-05-16 13:31:29 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss BRMS 5
 * Red Hat Enterprise Application Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.


Note You need to log in before you can comment on or make changes to this bug.