#VU11752 Path traversal in Pivotal Spring Framework - CVE-2018-1271

Cybersecurity Help s.r.o.

Published: 2018-04-11

Vulnerability identifier: #VU11752

Vulnerability risk: Low

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1271

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pivotal Spring Framework
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the spring-webmvc module due to the improper serving of static resources from a file system on Microsoft Windows systems. A remote attacker can send a malicious request using a crafted URL, trigger directory traversal, overwrite, delete or read potentially sensitive file information.

Mitigation
Update to versions 5.0.5 or 4.3.15.

Vulnerable software versions

Pivotal Spring Framework: 4.3.0 - 4.3.14, 5.0.0 - 5.0.4

External links
https://pivotal.io/security/cve-2018-1271

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA

Multiple vulnerabilities in IBM Cognos Controller

Multiple vulnerabilities in Dell Support Assist Enterprise

Multiple vulnerabilities in Pivotal Spring Framework