5.9
CVE-2018-1271
- EPSS 90.93%
- Veröffentlicht 06.04.2018 13:29:00
- Zuletzt bearbeitet 21.11.2024 03:59:30
- Quelle security_alert@emc.com
- Teams Watchlist Login
- Unerledigt Login
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Framework Version >= 4.3.0 < 4.3.15
VMware ≫ Spring Framework Version >= 5.0.0 < 5.0.5
Oracle ≫ Application Testing Suite Version12.5.0.3
Oracle ≫ Application Testing Suite Version13.1.0.1
Oracle ≫ Application Testing Suite Version13.2.0.1
Oracle ≫ Application Testing Suite Version13.3.0.1
Oracle ≫ Big Data Discovery Version1.6.0
Oracle ≫ Communications Converged Application Server Version < 7.0.0.1
Oracle ≫ Communications Diameter Signaling Router Version < 8.3
Oracle ≫ Communications Performance Intelligence Center Version < 10.2.1
Oracle ≫ Communications Policy Management Version12.5.0
Oracle ≫ Communications Services Gatekeeper Version < 6.1.0.4.0
Oracle ≫ Enterprise Manager Ops Center Version12.2.2
Oracle ≫ Enterprise Manager Ops Center Version12.3.3
Oracle ≫ Goldengate For Big Data Version12.2.0.1
Oracle ≫ Goldengate For Big Data Version12.3.1.1
Oracle ≫ Goldengate For Big Data Version12.3.2.1
Oracle ≫ Health Sciences Information Manager Version3.0
Oracle ≫ Healthcare Master Person Index Version3.0
Oracle ≫ Healthcare Master Person Index Version4.0
Oracle ≫ Insurance Calculation Engine Version >= 11.0.0 <= 11.3.1
Oracle ≫ Insurance Calculation Engine Version10.1.1
Oracle ≫ Insurance Calculation Engine Version10.2
Oracle ≫ Insurance Calculation Engine Version10.2.1
Oracle ≫ Insurance Rules Palette Version10.0
Oracle ≫ Insurance Rules Palette Version10.1
Oracle ≫ Insurance Rules Palette Version10.2
Oracle ≫ Insurance Rules Palette Version11.0
Oracle ≫ Insurance Rules Palette Version11.1
Oracle ≫ Primavera Gateway Version15.2
Oracle ≫ Primavera Gateway Version16.2
Oracle ≫ Primavera Gateway Version17.12
Oracle ≫ Rapid Planning Version12.1
Oracle ≫ Rapid Planning Version12.2
Oracle ≫ Retail Back Office Version14.0
Oracle ≫ Retail Back Office Version14.1
Oracle ≫ Retail Central Office Version14.0
Oracle ≫ Retail Central Office Version14.1
Oracle ≫ Retail Customer Insights Version15.0
Oracle ≫ Retail Customer Insights Version16.0
Oracle ≫ Retail Integration Bus Version14.0.1
Oracle ≫ Retail Integration Bus Version14.0.2
Oracle ≫ Retail Integration Bus Version14.0.3
Oracle ≫ Retail Integration Bus Version14.0.4
Oracle ≫ Retail Integration Bus Version14.1.1
Oracle ≫ Retail Integration Bus Version14.1.2
Oracle ≫ Retail Integration Bus Version14.1.3
Oracle ≫ Retail Integration Bus Version15.0.0.1
Oracle ≫ Retail Integration Bus Version15.0.1
Oracle ≫ Retail Integration Bus Version15.0.2
Oracle ≫ Retail Integration Bus Version16.0
Oracle ≫ Retail Integration Bus Version16.0.1
Oracle ≫ Retail Integration Bus Version16.0.2
Oracle ≫ Retail Open Commerce Platform Version5.3.0
Oracle ≫ Retail Open Commerce Platform Version6.0.0
Oracle ≫ Retail Open Commerce Platform Version6.0.1
Oracle ≫ Retail Order Broker Version5.1
Oracle ≫ Retail Order Broker Version5.2
Oracle ≫ Retail Order Broker Version15.0
Oracle ≫ Retail Order Broker Version16.0
Oracle ≫ Retail Point-of-sale Version14.0
Oracle ≫ Retail Point-of-sale Version14.1
Oracle ≫ Retail Predictive Application Server Version14.0
Oracle ≫ Retail Predictive Application Server Version14.1
Oracle ≫ Retail Predictive Application Server Version15.0
Oracle ≫ Retail Predictive Application Server Version16.0
Oracle ≫ Retail Returns Management Version14.0
Oracle ≫ Retail Returns Management Version14.1
Oracle ≫ Retail Xstore Point Of Service Version7.1
Oracle ≫ Service Architecture Leveraging Tuxedo Version12.1.3.0.0
Oracle ≫ Service Architecture Leveraging Tuxedo Version12.2.2.0.0
Oracle ≫ Tape Library Acsls Version8.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 90.93% | 0.996 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.