CVE-2018-1271

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1271

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1271.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1271

Aliases

GHSA-g8hw-794c-4j9g

Withdrawn

2024-05-15T05:31:23.012948Z

Published

2018-04-06T13:29:00Z

Modified

2023-11-08T03:59:50.958101Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

References

Affected packages

Git / github.com/spring-projects/spring-framework

Affected ranges

Type: GIT
Repo: https://github.com/spring-projects/spring-framework
Events: Introduced

f4f990b2c900a9b325fd0770d9064a188d073253

Fixed

4b9bc50fd057bb20278dc137820159f600cce324

Introduced

b49d801f241fb8088a5b7514db93fda32c58731c