CVE-2018-1271 – org.springframework:spring-core

Package

Manager: maven
Name: org.springframework:spring-core
Vulnerable Version: >=5.0.0 <5.0.5 || >=0 <4.3.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.90926 pctl0.99618

Details

Path Traversal in org.springframework:spring-core Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Metadata

Created: 2018-10-17T20:07:03Z
Modified: 2024-03-07T21:32:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-g8hw-794c-4j9g/GHSA-g8hw-794c-4j9g.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-g8hw-794c-4j9g
Finding: F063
Auto approve: 1