Fluid Attacks Database

Description

Improper Limitation of a Pathname to a Restricted Directory in Spring Framework Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework:spring-core	>=3.0.0 <3.2.9 \|\| >=4.0.0 <4.0.5	3.2.9, 4.0.5
debian 13	libspring-java	>=0 <3.2.13-1	3.2.13-1
debian 14	libspring-java	>=0 <3.2.13-1	3.2.13-1
maven	org.springframework:spring-webmvc	>=3.2-alpha0 <=3.2.8.release \|\| >=4.0-alpha0 <=4.0.4.release	3.2.9.release, 4.0.5.release
debian 11	libspring-java	>=0 <3.2.13-1	3.2.13-1
debian 12	libspring-java	>=0 <3.2.13-1	3.2.13-1

Aliases

1. CVE-2014-35782. NVD-2014-35783. OSV-2014-35784. OSV-DEBIAN-2014-35785. GCVE-2014-35786. lists.debian.org7. SECURITY-TRACKER-CVE-2014-35788. PIVOTAL-cve-2014-3578

References

1. https://github.com/spring-projects/spring-framework/issues/164142. https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a03. https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a664. https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d5. https://bugzilla.redhat.com/show_bug.cgi?id=11318826. https://rhn.redhat.com/errata/RHSA-2015-0234.html7. https://rhn.redhat.com/errata/RHSA-2015-0235.html8. http://jvn.jp/en/jp/JVN49154900/index.html9. http://jvndb.jvn.jp/jvndb/JVNDB-2014-00005410. http://pivotal.io/security/cve-2014-357811. http://rhn.redhat.com/errata/RHSA-2015-0720.html12. http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html13. https://jira.spring.io/browse/SPR-12354

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.