1408164 – (CVE-2016-9878) CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework ResourceServlet

Bug 1408164 (CVE-2016-9878) - CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework ResourceServlet

Summary: CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework R...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-9878
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1408165
Blocks:	1408166
TreeView+	depends on / blocked

Reported:	2016-12-22 10:59 UTC by Adam Mariš
Modified:	2021-10-21 11:48 UTC (History)
CC List:	56 users (show)
Fixed In Version:	Spring Framework 3.2.18, Spring Framework 4.2.9, Spring Framework 4.3.5
Clone Of:
Environment:
Last Closed:	2021-10-21 11:48:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3115	0	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security and bug fix update	2017-11-03 00:08:36 UTC

Description Adam Mariš 2016-12-22 10:59:26 UTC

It was found that paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Upstream bug:

https://jira.spring.io/browse/SPR-14946

Upstream patches:

https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad
https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98
https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0

External References:

https://pivotal.io/security/cve-2016-9878

Comment 1 Adam Mariš 2016-12-22 11:00:35 UTC

Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1408165]

Comment 2 Jason Shepherd 2017-01-03 00:39:55 UTC

Could not find any uses for ResourceServlet in Red Hat Mobile Application Platform. Marking as not affected.

Comment 4 Jason Shepherd 2017-01-03 01:27:52 UTC

EAP 5 is in Extended Life Support phase, so we won't fix this moderate issue on that product.

Comment 6 errata-xmlrpc 2017-11-02 20:09:15 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aileenc
alazarot
aszczucz
avibelli
awels
bdawidow
bmcclain
chazlett
dandread
dmcphers
eedri
epp-bugs
etirelli
fnasser
gjospin
gsterlin
gvarsami
huwang
java-sig-commits
jbalunas
jcoleman
jialiu
jokerman
jolee
jpallich
jschatte
jshepherd
kverlaen
ldimaggi
lgao
lmeyer
lsurette
mbaluch
mgoldboi
michal.skrivanek
mmccomas
mweiler
mwinkler
myarboro
nthomas
nwallace
puntogil
rrajasek
rwagner
rzhang
sbonazzo
sisharma
soa-p-jira
srevivo
tcunning
theute
tiwillia
tkirby
twalsh
ykaul