Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtOGgtZmdyOC0ycTl3
Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Permalink: https://github.com/advisories/GHSA-2m8h-fgr8-2q9wJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtOGgtZmdyOC0ycTl3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 2 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-2m8h-fgr8-2q9w, CVE-2016-9878
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-9878
- https://access.redhat.com/errata/RHSA-2017:3115
- https://github.com/advisories/GHSA-2m8h-fgr8-2q9w
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- https://pivotal.io/security/cve-2016-9878
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/95072
- http://www.securitytracker.com/id/1040698
- https://github.com/spring-projects/spring-framework/issues/19513
- https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98
- https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0
- https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad
- https://security.netapp.com/advisory/ntap-20180419-0002
Blast Radius: 40.2
Affected Packages
maven:org.springframework:spring-webmvc
Dependent packages: 4,621Dependent repositories: 227,195
Downloads:
Affected Version Ranges: >= 4.3.0, < 4.3.5, >= 4.2.0, < 4.2.9, < 3.2.18
Fixed in: 4.3.5, 4.2.9, 3.2.18
All affected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6
All unaffected versions: 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.3.20, 5.3.21, 5.3.22, 5.3.23, 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6