Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-8469

CVE-2018-1271 spring: spring-framework: Directory traversal vulnerability with static resources on Windows filesystems [fis-2.0]

    XMLWordPrintable

    Details

    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Security Tracking Issue

      Do not make this issue public.

      This bug is subject to the Security Errata Policy.

      The overall impact of the blocking security issue(s) is Moderate. Based on this impact, this bug must be resolved by 05-Apr-2019.

      Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata

      Flaw:

      CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
      https://bugzilla.redhat.com/show_bug.cgi?id=1571050

      Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

      This vulnerability does not affect applications that use versions of Spring Security patched for CVE-2018-1199.

      External Reference:

      https://pivotal.io/security/cve-2018-1271

        Gliffy Diagrams

          Attachments

            Issue Links

            relates to

            Bug - A problem which impairs or prevents the functions of the product. ENTESB-8456 CVE-2018-1199 spring: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fis-2.0]

            • Major - A request that should be considered seriously but is not a show stopper.
            • Closed

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  hooman_b2455 Hooman Broujerdi
                  Tester:
                  Lukas Lowinger
                  Involved:
                  Hooman Broujerdi
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: