Vulnerability Description
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | >= 4.3.0, < 4.3.15 |
| Oracle | Application Testing Suite | 12.5.0.3 |
| Oracle | Big Data Discovery | 1.6.0 |
| Oracle | Communications Converged Application Server | < 7.0.0.1 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Performance Intelligence Center | < 10.2.1 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Services Gatekeeper | < 6.1.0.4.0 |
| Oracle | Enterprise Manager Ops Center | 12.2.2 |
| Oracle | Goldengate For Big Data | 12.2.0.1 |
| Oracle | Health Sciences Information Manager | 3.0 |
| Oracle | Healthcare Master Person Index | 3.0 |
| Oracle | Insurance Calculation Engine | >= 11.0.0, <= 11.3.1 |
| Oracle | Insurance Rules Palette | 10.0 |
| Oracle | Primavera Gateway | 15.2 |
| Oracle | Rapid Planning | 12.1 |
| Oracle | Retail Back Office | 14.0 |
| Oracle | Retail Central Office | 14.0 |
| Oracle | Retail Customer Insights | 15.0 |
| Oracle | Retail Integration Bus | 14.0.1 |
Related Weaknesses (CWE)
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/103699Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1320Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2669Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2939Third Party Advisory
- https://pivotal.io/security/cve-2018-1271Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatchThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/103699Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1320Third Party Advisory
FAQ
What is CVE-2018-1271?
CVE-2018-1271 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, image...
How severe is CVE-2018-1271?
CVE-2018-1271 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1271?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Framework, Oracle Application Testing Suite, Oracle Big Data Discovery, Oracle Communications Converged Application Server, Oracle Communications Diameter Signaling Router.