Home > Vulnerability Database > CVE-2018-1271

Mend.io Vulnerability Database

CVE-2018-1271

Good to know:

Date: April 6, 2018

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Language: Java

Severity Score

5.9

Related Resources (22)

Url: https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa

Url: https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Url: https://access.redhat.com/errata/RHSA-2018:2669

Url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Url: https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8

Url: https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab

Url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Url: https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Url: https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f

Url: https://github.com/advisories/GHSA-g8hw-794c-4j9g

Url: https://access.redhat.com/errata/RHSA-2018:2939

Url: https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-1271

Url: https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3

Url: https://pivotal.io/security/cve-2018-1271

Url: http://www.securityfocus.com/bid/103699

Url: https://www.oracle.com/security-alerts/cpujul2020.html

Url: https://access.redhat.com/errata/RHSA-2018:1320

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://www.mend.io/vulnerability-database/CVE-2018-1271

Severity Score

5.9

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-1271

Good to know:

Date: April 6, 2018

Language: Java

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?