Описание
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
A flaw was found in the Spring Framework. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. This flaw allows an attacker to craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Отчет
This vulnerability is of important severity because it enables path traversal attacks that allow unauthorized access to arbitrary files on the server. Exploiting this flaw could expose sensitive information such as application configuration files, authentication credentials, or environment secrets, potentially compromising the entire system. Moreover, if the application process has elevated privileges, an attacker could access system files or even gain further control over the server.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | org.springframework/spring-webmvc | Not affected | ||
| Red Hat AMQ Broker 7 | org.springframework/spring-webmvc | Will not fix | ||
| Red Hat build of Apache Camel - HawtIO 4 | org.springframework/spring-webmvc | Not affected | ||
| Red Hat Build of Keycloak | org.springframework/spring-webmvc | Will not fix | ||
| Red Hat build of OptaPlanner 8 | org.springframework/spring-webmvc | Affected | ||
| Red Hat Data Grid 8 | org.springframework/spring-webmvc | Affected | ||
| Red Hat Fuse 7 | org.springframework/spring-webmvc | Will not fix | ||
| Red Hat Integration Camel K 1 | org.springframework/spring-webmvc | Will not fix | ||
| Red Hat JBoss Data Grid 7 | org.springframework/spring-webmvc | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | spring-webmvc | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Applications serving static resources through the functional web frame ...
Уязвимость функциональных веб-фреймворков WebMvc.fn и WebFlux.f программной платформы Spring Framework, позволяющая нарушителю получить доступ к произвольному файлу в файловой системе
EPSS
7.5 High
CVSS3