CVE-2016-9878

2016-12-29 10:59:00 2018-07-19 03:29:05

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Pivotal software Spring framework 4.3.4 (not an official CPE) Pivotal software Spring framework 4.3.3 (not an official CPE) Pivotal software Spring framework 4.3.2 (not an official CPE) Pivotal software Spring framework 4.3.1 (not an official CPE) Pivotal software Spring framework 4.3.0 (not an official CPE) Pivotal software Spring framework 4.2.8 (not an official CPE) Pivotal software Spring framework 4.2.7 (not an official CPE) Pivotal software Spring framework 4.2.6 (not an official CPE) Pivotal software Spring framework 4.2.5 (not an official CPE) Pivotal software Spring framework 4.2.4 (not an official CPE) Pivotal software Spring framework 4.2.3 (not an official CPE) Pivotal software Spring framework 4.2.2 (not an official CPE) Pivotal software Spring framework 4.2.1 (not an official CPE) Pivotal software Spring framework 4.2.0 (not an official CPE) Pivotal software Spring framework 3.2.17 (not an official CPE) Pivotal software Spring framework 3.2.16 (not an official CPE) Pivotal software Spring framework 3.2.15 (not an official CPE) Pivotal software Spring framework 3.2.14 (not an official CPE) Pivotal software Spring framework 3.2.13 (not an official CPE) Pivotal software Spring framework 3.2.12 (not an official CPE) Pivotal software Spring framework 3.2.11 (not an official CPE) Pivotal software Spring framework 3.2.10 (not an official CPE) Pivotal software Spring framework 3.2.9 (not an official CPE) Pivotal software Spring framework 3.2.8 (not an official CPE) Pivotal software Spring framework 3.2.7 (not an official CPE) Pivotal software Spring framework 3.2.6 (not an official CPE) Pivotal software Spring framework 3.2.5 (not an official CPE) Pivotal software Spring framework 3.2.4 (not an official CPE) Pivotal software Spring framework 3.2.3 (not an official CPE) Pivotal software Spring framework 3.2.2 (not an official CPE) Pivotal software Spring framework 3.2.1 (not an official CPE) Pivotal software Spring framework 3.2.0 (not an official CPE)

Pivotal software - Spring framework

Advisory	Patch	Confirmed	Link
			https://pivotal.io/security/cve-2016-9878
			RHSA-2017:3115
			1040698
			95072
			http://www.oracle.com/technetwork/security-advisory/cpuj...
			http://www.oracle.com/technetwork/security-advisory/cpuj...
			http://www.oracle.com/technetwork/security-advisory/cpua...
			https://security.netapp.com/advisory/ntap-20180419-0002/

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)

Related CAPEC 7 Relative Path Traversal (CAPEC-ID 139) Directory Traversal (CAPEC-ID 213) File System Function Injection, Content Based (CAPEC-ID 23) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) Manipulating Input to File System Calls (CAPEC-ID 76) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79)