github - ghsa-2m8h-fgr8-2q9w

ghsa-2m8h-fgr8-2q9w

Vulnerability from github

Published

2018-10-04 20:29

Modified

2024-03-05 17:45

Severity

7.5 (High) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized

Details

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-9878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:52:31Z",
    "nvd_published_at": "2016-12-29T09:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.",
  "id": "GHSA-2m8h-fgr8-2q9w",
  "modified": "2024-03-05T17:45:42Z",
  "published": "2018-10-04T20:29:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/issues/19513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3115"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2m8h-fgr8-2q9w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-framework"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2016-9878"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180419-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95072"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040698"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized"
}

cve-2016-9878

Vulnerability from cvelistv5

Published

2016-12-29 09:02

Modified

2024-08-06 03:07

Severity

Summary

References

URL	Tags
http://www.securitytracker.com/id/1040698	vdb-entry, x_refsource_SECTRACK
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20180419-0002/	x_refsource_CONFIRM
https://pivotal.io/security/cve-2016-9878	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	x_refsource_CONFIRM
http://www.securityfocus.com/bid/95072	vdb-entry, x_refsource_BID
https://access.redhat.com/errata/RHSA-2017:3115	vendor-advisory, x_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html	mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	x_refsource_MISC

Impacted products

Vendor	Product
n/a	Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5

Show details on NVD website