Lucene search

GitHub Advisory DatabaseGHSA-HHM4-HWQ6-3C6W

HistoryMay 13, 2022 - 1:02 a.m.

Improper Limitation of a Pathname to a Restricted Directory in Spring Framework

2022-05-1301:02:39

CWE-22

GitHub Advisory Database

github.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.6%

JSON

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CPENameOperatorVersion
org.springframework:spring-webmvclt4.1.2
org.springframework:spring-webmvclt4.0.8
org.springframework:spring-webmvclt3.2.12

Name	Operator	Version
org.springframework:spring-webmvc	lt	4.1.2
org.springframework:spring-webmvc	lt	4.0.8
org.springframework:spring-webmvc	lt	3.2.12

References

rhn.redhat.com/errata/RHSA-2015-0236.html

rhn.redhat.com/errata/RHSA-2015-0720.html

www.pivotal.io/security/cve-2014-3625

github.com/advisories/GHSA-hhm4-hwq6-3c6w

github.com/spring-projects/spring-framework/commit/161d3e3049f129e211f68a4e94b544e0f0d8384d

github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601

github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676

github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755

jira.spring.io/browse/SPR-12354

lists.debian.org/debian-lts-announce/2019/07/msg00012.html

nvd.nist.gov/vuln/detail/CVE-2014-3625

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.6%

JSON

Related for GHSA-HHM4-HWQ6-3C6W