Vulnerabilities > CVE-2018-1271

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

vmware

oracle

nessus

NVD

Published: 2018-04-06

Updated: 2024-11-21

Summary

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Spring Framework 5.0.0 Vmware Spring Framework 5.0.1 Vmware Spring Framework 5.0.2 Vmware Spring Framework 5.0.3 Vmware Spring Framework 5.0.4 Vmware Spring Framework 4.3.0 Vmware Spring Framework 4.3.1 Vmware Spring Framework 4.3.2 Vmware Spring Framework 4.3.3 Vmware Spring Framework 4.3.4 Vmware Spring Framework 4.3.5 Vmware Spring Framework 4.3.6 Vmware Spring Framework 4.3.7 Vmware Spring Framework 4.3.8 Vmware Spring Framework 4.3.9 Vmware Spring Framework 4.3.10 Vmware Spring Framework 4.3.11 Vmware Spring Framework 4.3.12 Vmware Spring Framework 4.3.13 Vmware Spring Framework 4.3.14	31
Application	Oracle Oracle Retail Xstore Point OF Service 7.1 Oracle Enterprise Manager OPS Center 12.2.2 Oracle Enterprise Manager OPS Center 12.3.3 Oracle Primavera Gateway 16.2 Oracle Primavera Gateway 15.2 Oracle Primavera Gateway 17.12 Oracle Application Testing Suite 12.5.0.3 Oracle Application Testing Suite 13.1.0.1 Oracle Application Testing Suite 13.2.0.1 Oracle Application Testing Suite 13.3.0.1 Oracle Retail Back Office 14.1 Oracle Retail Back Office 14.0 Oracle Retail Open Commerce Platform 6.0.1 Oracle Retail Open Commerce Platform 5.3.0 Oracle Retail Open Commerce Platform 6.0.0 Oracle Communications Diameter Signaling Router - Oracle Communications Diameter Signaling Router 6.0 Oracle Communications Diameter Signaling Router 8.0 Oracle Communications Diameter Signaling Router 8.0.0 Oracle Communications Diameter Signaling Router 8.0.0.0 Oracle Communications Diameter Signaling Router 8.1 Oracle Communications Diameter Signaling Router 8.2 Oracle Communications Diameter Signaling Router 8.2.1 Oracle Communications Diameter Signaling Router 8.2.2 Oracle Communications Performance Intelligence Center * Oracle Insurance Rules Palette 10.0 Oracle Insurance Rules Palette 10.2 Oracle Insurance Rules Palette 10.1 Oracle Insurance Rules Palette 11.0 Oracle Insurance Rules Palette 11.1 Oracle Communications Services Gatekeeper 6.0 Oracle Communications Services Gatekeeper 6.1 Oracle Health Sciences Information Manager 3.0 Oracle Healthcare Master Person Index 3.0 Oracle Healthcare Master Person Index 4.0 Oracle Insurance Calculation Engine 10.2 Oracle Insurance Calculation Engine 10.2.1 Oracle Insurance Calculation Engine 10.1.1 Oracle Insurance Calculation Engine 11.0.0 Oracle Insurance Calculation Engine 11.3.1 Oracle Retail Customer Insights 15.0 Oracle Retail Customer Insights 16.0 Oracle Tape Library Acsls 8.4 Oracle Communications Converged Application Server 4.0 Oracle Communications Converged Application Server 5.0 Oracle Communications Converged Application Server 5.1 Oracle Communications Converged Application Server 7.0 Oracle Service Architecture Leveraging Tuxedo 12.1.3.0.0 Oracle Service Architecture Leveraging Tuxedo 12.2.2.0.0 Oracle Retail Predictive Application Server 14.0 Oracle Retail Predictive Application Server 14.1 Oracle Retail Predictive Application Server 15.0 Oracle Retail Predictive Application Server 16.0 Oracle Retail Order Broker 5.1 Oracle Retail Order Broker 5.2 Oracle Retail Order Broker 15.0 Oracle Retail Order Broker 16.0 Oracle BIG Data Discovery 1.6.0 Oracle Goldengate FOR BIG Data 12.2.0.1 Oracle Goldengate FOR BIG Data 12.3.1.1 Oracle Goldengate FOR BIG Data 12.3.2.1 Oracle Retail Integration BUS 14.0.1 Oracle Retail Integration BUS 14.0.2 Oracle Retail Integration BUS 14.0.3 Oracle Retail Integration BUS 14.0.4 Oracle Retail Integration BUS 16.0 Oracle Retail Integration BUS 16.0.1 Oracle Retail Integration BUS 16.0.2 Oracle Retail Integration BUS 15.0.1 Oracle Retail Integration BUS 15.0.0.1 Oracle Retail Integration BUS 15.0.2 Oracle Retail Integration BUS 14.1.1 Oracle Retail Integration BUS 14.1.2 Oracle Retail Integration BUS 14.1.3 Oracle Retail Returns Management 14.0 Oracle Retail Returns Management 14.1 Oracle Retail Point OF Sale 14.0 Oracle Retail Point OF Sale 14.1 Oracle Retail Central Office 14.0 Oracle Retail Central Office 14.1 Oracle Communications Policy Management 12.5.0 Oracle Rapid Planning 12.1 Oracle Rapid Planning 12.2	83

D2sec

name	Spring MVC File Disclosure
url	http://www.d2sec.com/exploits/spring_mvc_file_disclosure.html

Nessus

NASL family	Windows
NASL id	SPRING_CVE-2018-1271.NASL
description	The remote Windows host contains a Spring Framework library version that is 4.3.x prior to 4.3.15 or 5.0.x prior to 5.0.5. It is, therefore, affected by a directory traversal vulnerability. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server
last seen	2020-06-01
modified	2020-06-02
plugin id	119846
published	2018-12-21
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/119846
title	Spring Framework 4.3.x < 4.3.15 / 5.0.x < 5.0.5 Windows Directory Traversal Vulnerability (CVE-2018-1271)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(119846); script_version("1.3"); script_cvs_date("Date: 2019/04/30 14:30:16"); script_cve_id("CVE-2018-1271"); script_name(english:"Spring Framework 4.3.x < 4.3.15 / 5.0.x < 5.0.5 Windows Directory Traversal Vulnerability (CVE-2018-1271)"); script_summary(english:"Checks version of Spring Framework."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web application framework library that is affected by a directory traversal vulnerability."); script_set_attribute(attribute:"description", value: "The remote Windows host contains a Spring Framework library version that is 4.3.x prior to 4.3.15 or 5.0.x prior to 5.0.5. It is, therefore, affected by a directory traversal vulnerability. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://pivotal.io/security/cve-2018-1271"); script_set_attribute(attribute:"solution", value: "Upgrade to Spring Framework version 4.3.15 or 5.0.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1271"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Spring MVC File Disclosure"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"agent", value:"windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:pivotal_software:spring_framework"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "jar_detect_win.nbin"); script_require_keys("installed_sw/Pivotal Software Spring Framework", "Settings/ParanoidReport"); exit(0); } include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = "Pivotal Software Spring Framework"; get_install_count(app_name:app, exit_if_zero:TRUE); # only Windows is affected os = get_kb_item_or_exit("Host/OS"); if ('windows' >!< tolower(os)) audit(AUDIT_OS_NOT, "Windows"); app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [ { "min_version":"4.3", "fixed_version":"4.3.15" }, { "min_version":"5.0", "fixed_version":"5.0.5" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Redhat

advisories

rhsa
id RHSA-2018:1320
rhsa
id RHSA-2018:2669
rhsa
id RHSA-2018:2939

The Hacker News

id	THN:D7C30FB307A1DC524FADFFBF2D1BEAB1
last seen	2018-04-06
modified	2018-04-06
published	2018-04-05
reporter	Swati Khandelwal
source	https://thehackernews.com/2018/04/spring-framework-hacking.html
title	Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now

Vulnerabilities > CVE-2018-1271 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2018-1271"}]}

Summary

Vulnerable Configurations

D2sec

Nessus

Redhat

The Hacker News

References

Vulnerabilities > CVE-2018-1271