CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Published : 2018-04-06 13:29 Updated : 2019-07-23 23:15

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0
Pivotal Software Spring Framework 4.3.1 cpe:/a:pivotal_software:spring_framework:4.3.1
Pivotal Software Spring Framework 4.3.2 cpe:/a:pivotal_software:spring_framework:4.3.2
Pivotal Software Spring Framework 4.3.3 cpe:/a:pivotal_software:spring_framework:4.3.3
Pivotal Software Spring Framework 4.3.4 cpe:/a:pivotal_software:spring_framework:4.3.4
Pivotal Software Spring Framework 4.2.9 cpe:/a:pivotal_software:spring_framework:4.2.9
Pivotal Software Spring Framework 4.3.5 cpe:/a:pivotal_software:spring_framework:4.3.5
Pivotal Software Spring Framework 4.3.6 cpe:/a:pivotal_software:spring_framework:4.3.6
Pivotal Software Spring Framework 4.3.7 cpe:/a:pivotal_software:spring_framework:4.3.7
Pivotal Software Spring Framework 4.3.8 cpe:/a:pivotal_software:spring_framework:4.3.8
Pivotal Software Spring Framework 4.3.9 cpe:/a:pivotal_software:spring_framework:4.3.9
Pivotal Software Spring Framework 4.3.10 cpe:/a:pivotal_software:spring_framework:4.3.10
Pivotal Software Spring Framework 4.3.11 cpe:/a:pivotal_software:spring_framework:4.3.11
Pivotal Software Spring Framework 4.3.12 cpe:/a:pivotal_software:spring_framework:4.3.12
Pivotal Software Spring Framework 4.3.13 cpe:/a:pivotal_software:spring_framework:4.3.13
Pivotal Software Spring Framework 4.3.14 cpe:/a:pivotal_software:spring_framework:4.3.14
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0
Pivotal Software Spring Framework 5.0.1 cpe:/a:pivotal_software:spring_framework:5.0.1
Pivotal Software Spring Framework 5.0.2 cpe:/a:pivotal_software:spring_framework:5.0.2
Pivotal Software Spring Framework 5.0.3 cpe:/a:pivotal_software:spring_framework:5.0.3
Pivotal Software Spring Framework 5.0.4 cpe:/a:pivotal_software:spring_framework:5.0.4
Oracle Application Testing Suite 12.5.0.3 cpe:/a:oracle:application_testing_suite:12.5.0.3
Oracle Application Testing Suite 13.1.0.1 cpe:/a:oracle:application_testing_suite:13.1.0.1
Oracle Application Testing Suite 13.2.0.1 cpe:/a:oracle:application_testing_suite:13.2.0.1
Oracle Application Testing Suite 13.3.0.1 cpe:/a:oracle:application_testing_suite:13.3.0.1
Oracle Big Data Discovery 1.6.0 cpe:/a:oracle:big_data_discovery:1.6.0
Oracle Communications Diameter Signaling Router 6.0 cpe:/a:oracle:communications_diameter_signaling_router:6.0
Oracle Communications Diameter Signaling Router 8.1 cpe:/a:oracle:communications_diameter_signaling_router:8.1
Oracle Communications Diameter Signaling Router 8.2 cpe:/a:oracle:communications_diameter_signaling_router:8.2
Oracle Enterprise Manager Ops Center 12.2.2 cpe:/a:oracle:enterprise_manager_ops_center:12.2.2
Oracle Enterprise Manager Ops Center 12.3.3 cpe:/a:oracle:enterprise_manager_ops_center:12.3.3
Oracle Goldengate For Big Data 12.2.0.1 cpe:/a:oracle:goldengate_for_big_data:12.2.0.1
Oracle Goldengate For Big Data 12.3.1.1 cpe:/a:oracle:goldengate_for_big_data:12.3.1.1
Oracle Goldengate For Big Data 12.3.2.1 cpe:/a:oracle:goldengate_for_big_data:12.3.2.1
Oracle Health Sciences Information Manager 3.0 cpe:/a:oracle:health_sciences_information_manager:3.0
Oracle Healthcare Master Person Index 3.0 cpe:/a:oracle:healthcare_master_person_index:3.0
Oracle Healthcare Master Person Index 4.0 cpe:/a:oracle:healthcare_master_person_index:4.0
Oracle Insurance Calculation Engine 10.1.1 cpe:/a:oracle:insurance_calculation_engine:10.1.1
Oracle Insurance Calculation Engine 10.2 cpe:/a:oracle:insurance_calculation_engine:10.2
Oracle Insurance Calculation Engine 10.2.1 cpe:/a:oracle:insurance_calculation_engine:10.2.1
Oracle Insurance Rules Palette 10.0 cpe:/a:oracle:insurance_rules_palette:10.0
Oracle Insurance Rules Palette 10.1 cpe:/a:oracle:insurance_rules_palette:10.1
Oracle Insurance Rules Palette 10.2 cpe:/a:oracle:insurance_rules_palette:10.2
Oracle Insurance Rules Palette 11.0 cpe:/a:oracle:insurance_rules_palette:11.0
Oracle Insurance Rules Palette 11.1 cpe:/a:oracle:insurance_rules_palette:11.1
Oracle Primavera Gateway 15.2 cpe:/a:oracle:primavera_gateway:15.2
Oracle Primavera Gateway 16.2 cpe:/a:oracle:primavera_gateway:16.2
Oracle Primavera Gateway 17.12 cpe:/a:oracle:primavera_gateway:17.12
Oracle Retail Back Office 14.0 cpe:/a:oracle:retail_back_office:14.0
Oracle Retail Back Office 14.1 cpe:/a:oracle:retail_back_office:14.1
Oracle Retail Central Office 14.0 cpe:/a:oracle:retail_central_office:14.0
Oracle Retail Central Office 14.1 cpe:/a:oracle:retail_central_office:14.1
Oracle Retail Customer Insights 15.0 cpe:/a:oracle:retail_customer_insights:15.0
Oracle Retail Customer Insights 16.0 cpe:/a:oracle:retail_customer_insights:16.0
Oracle Retail Integration Bus 14.0.1 cpe:/a:oracle:retail_integration_bus:14.0.1
Oracle Retail Integration Bus 14.0.2 cpe:/a:oracle:retail_integration_bus:14.0.2
Oracle Retail Integration Bus 14.0.3 cpe:/a:oracle:retail_integration_bus:14.0.3
Oracle Retail Integration Bus 14.0.4 cpe:/a:oracle:retail_integration_bus:14.0.4
Oracle Retail Integration Bus 14.1.1 cpe:/a:oracle:retail_integration_bus:14.1.1
Oracle Retail Integration Bus 14.1.2 cpe:/a:oracle:retail_integration_bus:14.1.2
Oracle Retail Integration Bus 14.1.3 cpe:/a:oracle:retail_integration_bus:14.1.3
Oracle Retail Integration Bus 15.0.0.1 cpe:/a:oracle:retail_integration_bus:15.0.0.1
Oracle Retail Integration Bus 15.0.1 cpe:/a:oracle:retail_integration_bus:15.0.1
Oracle Retail Integration Bus 15.0.2 cpe:/a:oracle:retail_integration_bus:15.0.2
Oracle Retail Integration Bus 16.0 cpe:/a:oracle:retail_integration_bus:16.0
Oracle Retail Integration Bus 16.0.1 cpe:/a:oracle:retail_integration_bus:16.0.1
Oracle Retail Integration Bus 16.0.2 cpe:/a:oracle:retail_integration_bus:16.0.2
Oracle Retail Open Commerce Platform 5.3.0 cpe:/a:oracle:retail_open_commerce_platform:5.3.0
Oracle Retail Open Commerce Platform 6.0.0 cpe:/a:oracle:retail_open_commerce_platform:6.0.0
Oracle Retail Open Commerce Platform 6.0.1 cpe:/a:oracle:retail_open_commerce_platform:6.0.1
Oracle Retail Order Broker 5.1 cpe:/a:oracle:retail_order_broker:5.1
Oracle Retail Order Broker 5.2 cpe:/a:oracle:retail_order_broker:5.2
Oracle Retail Order Broker 15.0 cpe:/a:oracle:retail_order_broker:15.0
Oracle Retail Order Broker 16.0 cpe:/a:oracle:retail_order_broker:16.0
Oracle Retail Point-of-sale 14.0 cpe:/a:oracle:retail_point-of-sale:14.0
Oracle Retail Point-of-sale 14.1 cpe:/a:oracle:retail_point-of-sale:14.1
Oracle Retail Predictive Application Server 14.0 cpe:/a:oracle:retail_predictive_application_server:14.0
Oracle Retail Predictive Application Server 14.1 cpe:/a:oracle:retail_predictive_application_server:14.1
Oracle Retail Predictive Application Server 15.0 cpe:/a:oracle:retail_predictive_application_server:15.0
Oracle Retail Predictive Application Server 16.0 cpe:/a:oracle:retail_predictive_application_server:16.0
Oracle Retail Returns Management 14.0 cpe:/a:oracle:retail_returns_management:14.0
Oracle Retail Returns Management 14.1 cpe:/a:oracle:retail_returns_management:14.1
Oracle Service Architecture Leveraging Tuxedo 12.1.3.0.0 cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0
Oracle Service Architecture Leveraging Tuxedo 12.2.2.0.0 cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0
Oracle Tape Library Acsls 8.4 cpe:/a:oracle:tape_library_acsls:8.4
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:-
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc1
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:-
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone4
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone5
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc4
  1. Oracle (21) Search CVE
    1. Retail Customer Insights (2) Search CVE
      1. 15.0
      2. 16.0
    2. Retail Back Office (2) Search CVE
      1. 14.0
      2. 14.1
    3. Retail Predictive Application Server (4) Search CVE
      1. 14.0
      2. 14.1
      3. 15.0
      4. 16.0
    4. Retail Point-of-sale (2) Search CVE
      1. 14.0
      2. 14.1
    5. Retail Integration Bus (13) Search CVE
      1. 14.0.1
      2. 14.0.2
      3. 14.0.3
      4. 14.0.4
      5. 14.1.1
      6. 14.1.2
      7. 14.1.3
      8. 15.0.0.1
      9. 15.0.1
      10. 15.0.2
      11. 16.0
      12. 16.0.1
      13. 16.0.2
    6. Health Sciences Information Manager (1) Search CVE
      1. 3.0
    7. Communications Diameter Signaling Router (3) Search CVE
      1. 6.0
      2. 8.1
      3. 8.2
    8. Big Data Discovery (1) Search CVE
      1. 1.6.0
    9. Enterprise Manager Ops Center (2) Search CVE
      1. 12.2.2
      2. 12.3.3
    10. Insurance Rules Palette (5) Search CVE
      1. 10.0
      2. 10.1
      3. 10.2
      4. 11.0
      5. 11.1
    11. Retail Returns Management (2) Search CVE
      1. 14.0
      2. 14.1
    12. Application Testing Suite (4) Search CVE
      1. 12.5.0.3
      2. 13.1.0.1
      3. 13.2.0.1
      4. 13.3.0.1
    13. Retail Order Broker (4) Search CVE
      1. 5.1
      2. 5.2
      3. 15.0
      4. 16.0
    14. Tape Library Acsls (1) Search CVE
      1. 8.4
    15. Goldengate For Big Data (3) Search CVE
      1. 12.2.0.1
      2. 12.3.1.1
      3. 12.3.2.1
    16. Retail Open Commerce Platform (3) Search CVE
      1. 5.3.0
      2. 6.0.0
      3. 6.0.1
    17. Healthcare Master Person Index (2) Search CVE
      1. 3.0
      2. 4.0
    18. Primavera Gateway (3) Search CVE
      1. 15.2
      2. 16.2
      3. 17.12
    19. Service Architecture Leveraging Tuxedo (2) Search CVE
      1. 12.1.3.0.0
      2. 12.2.2.0.0
    20. Insurance Calculation Engine (3) Search CVE
      1. 10.1.1
      2. 10.2
      3. 10.2.1
    21. Retail Central Office (2) Search CVE
      1. 14.0
      2. 14.1
  2. Pivotal Software (1) Search CVE
    1. Spring Framework (21) Search CVE
      1. 4.3.0
      2. 4.3.1
      3. 4.3.2
      4. 4.3.3
      5. 4.3.4
      6. 4.2.9
      7. 4.3.5
      8. 4.3.6
      9. 4.3.7
      10. 4.3.8
      11. 4.3.9
      12. 4.3.10
      13. 4.3.11
      14. 4.3.12
      15. 4.3.13
      16. 4.3.14
      17. 5.0.0
      18. 5.0.1
      19. 5.0.2
      20. 5.0.3
      21. 5.0.4

CWE

ID Name Description Links
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. CVE

History of changes

Date Event
2019-07-23 23:15
2019-01-16 19:29
2018-10-18 10:29
2018-10-17 01:31
2018-09-12 10:29
2018-07-19 01:29
2018-05-15 18:42
2018-05-10 16:27
2018-05-05 01:29
2018-04-12 01:29
2018-04-06 13:29

New CVE