CVE-2018-1271
high-risk
Published 2018-04-06
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Do I need to act?
!
90.6% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
References (22)
Third Party Advisory
http://www.securityfocus.com/bid/103699
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1320
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2669
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
Vendor Advisory
https://pivotal.io/security/cve-2018-1271
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory
http://www.securityfocus.com/bid/103699
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1320
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2669
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
Vendor Advisory
https://pivotal.io/security/cve-2018-1271
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
and 2 more references
66
/ 100
high-risk
Severity
18/34 · Moderate
Exploitability
20/34 · Moderate
Exposure
28/34 · Critical