Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-1271

Опубликовано: 06 апр. 2018
Источник: nvd
CVSS3: 5.9
CVSS2: 4.3
EPSS Критический

Описание

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Версия от 4.3.0 (включая) до 4.3.15 (исключая)
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Версия от 5.0.0 (включая) до 5.0.5 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*
Версия до 7.0.0.1 (исключая)
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Версия до 8.3 (исключая)
cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*
Версия до 10.2.1 (исключая)
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
Версия до 6.1.0.4.0 (исключая)
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*
Версия от 11.0.0 (включая) до 11.3.1 (включая)
cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-sale:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*

EPSS

Процентиль: 100%
0.921
Критический

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-22
CWE-22

Связанные уязвимости

ubuntu логотип

CVE-2018-1271

CVSS3: 5.9
ubuntu
около 7 лет назад

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

redhat логотип

CVE-2018-1271

CVSS3: 6.5
redhat
около 7 лет назад

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

debian логотип

CVE-2018-1271

CVSS3: 5.9
debian
около 7 лет назад

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...

github логотип

GHSA-g8hw-794c-4j9g

CVSS3: 5.9
github
больше 6 лет назад

Path Traversal in org.springframework:spring-core

EPSS

Процентиль: 100%
0.921
Критический

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-22
CWE-22