Multiple vulnerabilities have been identified in the OpenSource/Pivotal Spring Framework version that is embeddded in IBM Tivoli Application Dependency Discovery Manager (TADDM) thus requiring an upgrade to Spring Framework version 3.2.13.
CVEID:CVE-2014-3578
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to view arbitrary files on the system.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93774> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2014-3625
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99872> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2013-7315
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95219> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2013-4152
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/86589> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2014-0054
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error in Jaxb2RootElementHttpMessageConverter when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91841> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
TADDM 7.2.2
There is an eFix containing an upgrade of the Spring Framework to version 3.2.13 prepared on top of TADDM 7.2.2 FixPack 5
Fix | VRMF | APAR | How to acquire fix |
---|---|---|---|
efix_spring3.2.13v1_FP520160209.zip | 7.2.2.5 | None | Download eFix |
Please get familiar with eFix readme in etc/<efix_name>_readme.txt
Please note that the eFix requires manual backup/removal of a named jar as per readme file.
None.
CPE | Name | Operator | Version |
---|---|---|---|
tivoli application dependency discovery manager | eq | 7.2.2 |