CVE-2016-9878

HIGH

Spring Framework < 3.2.18, 4.2.x < 4.2.9, 4.3.x < 4.3.5 - Path Traversal via ResourceServlet

Title source: llm
STIX 2.1

Description

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040698
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180419-0002/
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2016-9878
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95072
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3115
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html

Scores

CVSS v3 7.5
EPSS 0.0493
EPSS Percentile 89.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (34)
n/a/Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5 Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5
org.springframework/spring-webmvc 0 - 3.2.18Maven
pivotal_software/spring_framework 4.2.0
pivotal_software/spring_framework 4.3.0
pivotal_software/spring_framework < 3.2.0
vmware/spring_framework 3.2.1
vmware/spring_framework 3.2.2
vmware/spring_framework 3.2.3
vmware/spring_framework 3.2.4
vmware/spring_framework 3.2.5
... and 24 more
Published Dec 29, 2016
Tracked Since Feb 18, 2026