CVE-2018-1271

MEDIUM NUCLEI

Spring Framework 4.3.0-4.3.14 - Path Traversal via Static Resource Request

Title source: llm

Exploitation Summary

CVE-2018-1271 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Nuclei Templates (1)

Spring MVC Framework - Local File Inclusion

MEDIUMby hetroublemakr

References (11)

Core 11

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103699

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2669

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2939

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1320

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2020.html

Patch, Third Party Advisory x_refsource_confirm

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2018-1271

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 5.9

EPSS 0.3568

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (50)

oracle/application_testing_suite 12.5.0.3

oracle/application_testing_suite 13.1.0.1

oracle/application_testing_suite 13.2.0.1

oracle/application_testing_suite 13.3.0.1

oracle/big_data_discovery 1.6.0

oracle/communications_converged_application_server < 7.0.0.1

oracle/communications_diameter_signaling_router < 8.3

oracle/communications_performance_intelligence_center < 10.2.1

oracle/communications_policy_management 12.5.0

oracle/communications_services_gatekeeper < 6.1.0.4.0

... and 40 more

Published Apr 06, 2018

Tracked Since Feb 18, 2026