CVE-2018-1271

MEDIUM NUCLEI

Vmware Spring Framework < 4.3.15 - Path Traversal

Title source: rule

Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Nuclei Templates (1)

Spring MVC Framework - Local File Inclusion

MEDIUMby hetroublemakr

References (11)

[Patch, Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

[Patch, Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/103699

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:1320

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2669

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2939

[Vendor Advisory] https://pivotal.io/security/cve-2018-1271

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Scores

CVSS v3 5.9

EPSS 0.9060

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (50)

oracle/application_testing_suite 12.5.0.3

oracle/application_testing_suite 13.1.0.1

oracle/application_testing_suite 13.2.0.1

oracle/application_testing_suite 13.3.0.1

oracle/big_data_discovery 1.6.0

oracle/communications_converged_application_server < 7.0.0.1

oracle/communications_diameter_signaling_router < 8.3

oracle/communications_performance_intelligence_center < 10.2.1

oracle/communications_policy_management 12.5.0

oracle/communications_services_gatekeeper < 6.1.0.4.0

... and 40 more

Published Apr 06, 2018

Tracked Since Feb 18, 2026