CVE-2018-1271: Path Traversal
Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to configure Spring MVC to serve static resources.
Other sources
Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
This vulnerability does not affect applications that use versions of Spring Security patched for CVE-2018-1199.
External Reference:
https://pivotal.io/security/cve-2018-1271
— Red Hat
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
— GitHub
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2018-1271?
CVE-2018-1271 has been designated a high severity vulnerability.
How do I fix CVE-2018-1271?
To fix CVE-2018-1271, upgrade to Spring Framework versions 4.3.15 or 5.0.5.
Who is affected by CVE-2018-1271?
CVE-2018-1271 affects users of the Pivotal Spring Framework prior to versions 4.3.15 and 5.0.5.
What is the impact of CVE-2018-1271?
CVE-2018-1271 could allow a remote attacker to perform directory traversal attacks.
Is CVE-2018-1271 related to any specific software?
Yes, CVE-2018-1271 is specifically related to the Pivotal Spring Framework.