GHSA-2m8h-fgr8-2q9w

Suggest an improvement
Source
https://github.com/advisories/GHSA-2m8h-fgr8-2q9w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2m8h-fgr8-2q9w/GHSA-2m8h-fgr8-2q9w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2m8h-fgr8-2q9w
Aliases
Published
2018-10-04T20:29:55Z
Modified
2024-03-05T18:01:31.558864Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized
Details

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Database specific
{
    "nvd_published_at": "2016-12-29T09:59:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:52:31Z"
}
References

Affected packages

Maven / org.springframework:spring-webmvc

Package

Name
org.springframework:spring-webmvc
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.18

Affected versions

1.*

1.0-rc1
1.0
1.0.1
1.1-rc1
1.1-rc2
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2-rc1
1.2-rc2
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9

2.*

2.0-m1
2.0-m2
2.0-m3
2.0-m4
2.0-m5
2.0-rc1
2.0-rc2
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.6.SEC01
2.5.6.SEC02
2.5.6.SEC03

3.*

3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
3.2.11.RELEASE
3.2.12.RELEASE
3.2.13.RELEASE
3.2.14.RELEASE
3.2.15.RELEASE
3.2.16.RELEASE
3.2.17.RELEASE

Maven / org.springframework:spring-webmvc

Package

Name
org.springframework:spring-webmvc
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.9

Affected versions

4.*

4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE

Maven / org.springframework:spring-webmvc

Package

Name
org.springframework:spring-webmvc
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
4.3.5

Affected versions

4.*

4.3.0.RELEASE
4.3.1.RELEASE
4.3.2.RELEASE
4.3.3.RELEASE
4.3.4.RELEASE