2018-04-06 15:29:00 2019-07-24 01:15:32

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE
Pivotal software Spring framework 4.3.0 Rc2 (not an official CPE) Pivotal software Spring framework 4.3.0 Rc1 (not an official CPE) Pivotal software Spring framework 4.3.0 (not an official CPE) Pivotal software Spring framework 4.3.0 - (not an official CPE) Pivotal software Spring framework 4.2.9 (not an official CPE) Oracle Tape library acsls 8.4 (not an official CPE) Oracle Service architecture leveraging tuxedo 12.2.2.0.0 (not an official CPE) Oracle Retail returns management 14.1 (not an official CPE) Oracle Service architecture leveraging tuxedo 12.1.3.0.0 (not an official CPE) Oracle Retail returns management 14.0 (not an official CPE) Oracle Retail predictive application server 16.0 (not an official CPE) Oracle Retail predictive application server 15.0 (not an official CPE) Oracle Retail predictive application server 14.1 (not an official CPE) Oracle Retail predictive application server 14.0 (not an official CPE) Oracle Retail point-of-sale 14.0 (not an official CPE) Oracle Retail point-of-sale 14.1 (not an official CPE) Oracle Retail order broker 16.0 (not an official CPE) Oracle Retail order broker 15.0 (not an official CPE) Oracle Retail order broker 5.2 (not an official CPE) Oracle Retail order broker 5.1 (not an official CPE) Oracle Retail open commerce platform 6.0.1 (not an official CPE) Oracle Retail open commerce platform 6.0.0 (not an official CPE) Oracle Retail open commerce platform 5.3.0 (not an official CPE) Oracle Retail integration bus 16.0.2 (not an official CPE) Oracle Retail integration bus 16.0.1 (not an official CPE) Oracle Retail integration bus 16.0 (not an official CPE) Oracle Retail integration bus 15.0.2 (not an official CPE) Oracle Retail integration bus 15.0.1 (not an official CPE) Oracle Retail integration bus 15.0.0.1 (not an official CPE) Oracle Retail integration bus 14.1.3 (not an official CPE) Oracle Retail integration bus 14.1.2 (not an official CPE) Oracle Retail integration bus 14.1.1 (not an official CPE) Oracle Retail integration bus 14.0.4 (not an official CPE) Oracle Retail integration bus 14.0.3 (not an official CPE) Oracle Retail integration bus 14.0.2 (not an official CPE) Oracle Retail integration bus 14.0.1 (not an official CPE) Oracle Retail customer insights 16.0 (not an official CPE) Oracle Retail customer insights 15.0 (not an official CPE) Oracle Retail central office 14.1 (not an official CPE) Oracle Retail central office 14.0 (not an official CPE) Oracle Retail back office 14.1 (not an official CPE) Oracle Retail back office 14.0 (not an official CPE) Oracle Primavera gateway 17.12 (not an official CPE) Oracle Primavera gateway 16.2 (not an official CPE) Oracle Primavera gateway 15.2 (not an official CPE) Oracle Insurance rules palette 11.1 (not an official CPE) Oracle Insurance rules palette 11.0 (not an official CPE) Oracle Insurance rules palette 10.2 (not an official CPE) Oracle Insurance rules palette 10.1 (not an official CPE) Oracle Insurance rules palette 10.0 (not an official CPE) Oracle Insurance calculation engine 10.2.1 (not an official CPE) Oracle Insurance calculation engine 10.2 (not an official CPE) Oracle Insurance calculation engine 10.1.1 (not an official CPE) Oracle Healthcare master person index 4.0 (not an official CPE) Oracle Healthcare master person index 3.0 (not an official CPE) Oracle Health sciences information manager 3.0 (not an official CPE) Oracle Goldengate for big data 12.3.2.1 (not an official CPE) Oracle Goldengate for big data 12.3.1.1 (not an official CPE) Oracle Goldengate for big data 12.2.0.1 (not an official CPE) Oracle Enterprise manager ops center 12.3.3 (not an official CPE) Oracle Enterprise manager ops center 12.2.2 (not an official CPE) Oracle Communications diameter signaling router 8.2 (not an official CPE) Oracle Communications diameter signaling router 8.1 (not an official CPE) Oracle Communications diameter signaling router 6.0 (not an official CPE) Oracle Big data discovery 1.6.0 (not an official CPE) Oracle Application testing suite 13.3.0.1 (not an official CPE) Oracle Application testing suite 13.2.0.1 (not an official CPE) Oracle Application testing suite 13.1.0.1 (not an official CPE) Oracle Application testing suite 12.5.0.3 (not an official CPE) Pivotal software Spring framework 4.3.1 (not an official CPE) Pivotal software Spring framework 4.3.2 (not an official CPE) Pivotal software Spring framework 4.3.3 (not an official CPE) Pivotal software Spring framework 4.3.4 (not an official CPE) Pivotal software Spring framework 4.3.5 (not an official CPE) Pivotal software Spring framework 4.3.6 (not an official CPE) Pivotal software Spring framework 4.3.7 (not an official CPE) Pivotal software Spring framework 4.3.8 (not an official CPE) Pivotal software Spring framework 4.3.9 (not an official CPE) Pivotal software Spring framework 4.3.10 (not an official CPE) Pivotal software Spring framework 4.3.11 (not an official CPE) Pivotal software Spring framework 4.3.12 (not an official CPE) Pivotal software Spring framework 4.3.13 (not an official CPE) Pivotal software Spring framework 4.3.14 (not an official CPE) Pivotal software Spring framework 5.0.0 (not an official CPE) Pivotal software Spring framework 5.0.0 - (not an official CPE) Pivotal software Spring framework 5.0.0 Milestone1 (not an official CPE) Pivotal software Spring framework 5.0.0 Milestone2 (not an official CPE) Pivotal software Spring framework 5.0.0 Milestone3 (not an official CPE) Pivotal software Spring framework 5.0.0 Milestone4 (not an official CPE) Pivotal software Spring framework 5.0.0 Milestone5 (not an official CPE) Pivotal software Spring framework 5.0.0 Rc1 (not an official CPE) Pivotal software Spring framework 5.0.0 Rc2 (not an official CPE) Pivotal software Spring framework 5.0.0 Rc3 (not an official CPE) Pivotal software Spring framework 5.0.0 Rc4 (not an official CPE) Pivotal software Spring framework 5.0.1 (not an official CPE) Pivotal software Spring framework 5.0.2 (not an official CPE) Pivotal software Spring framework 5.0.3 (not an official CPE) Pivotal software Spring framework 5.0.4 (not an official CPE)