Security Tracking Issue
Do not make this issue public.
This bug is subject to the Security Errata Policy.
The overall impact of the blocking security issue(s) is Moderate. Based on this impact, this bug must be resolved by 05-Apr-2019.
Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata
CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
This vulnerability does not affect applications that use versions of Spring Security patched for CVE-2018-1199.