Lucene search

[email protected]NVD:CVE-2018-1271

HistoryApr 06, 2018 - 1:29 p.m.

CVE-2018-1271

2018-04-0613:29:00

CWE-22

[email protected]

web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.004

Percentile

72.7%

JSON

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected configurations

Nvd

Node

vmwarespring_frameworkRange4.3.0–4.3.15

vmwarespring_frameworkRange5.0.0–5.0.5

Node

oracleapplication_testing_suiteMatch12.5.0.3

oracleapplication_testing_suiteMatch13.1.0.1

oracleapplication_testing_suiteMatch13.2.0.1

oracleapplication_testing_suiteMatch13.3.0.1

oraclebig_data_discoveryMatch1.6.0

oraclecommunications_converged_application_serverRange<7.0.0.1

oraclecommunications_diameter_signaling_routerRange<8.3

oraclecommunications_performance_intelligence_centerRange<10.2.1

oraclecommunications_policy_managementMatch12.5.0

oraclecommunications_services_gatekeeperRange<6.1.0.4.0

oracleenterprise_manager_ops_centerMatch12.2.2

oracleenterprise_manager_ops_centerMatch12.3.3

oraclegoldengate_for_big_dataMatch12.2.0.1

oraclegoldengate_for_big_dataMatch12.3.1.1

oraclegoldengate_for_big_dataMatch12.3.2.1

oraclehealth_sciences_information_managerMatch3.0

oraclehealthcare_master_person_indexMatch3.0

oraclehealthcare_master_person_indexMatch4.0

oracleinsurance_calculation_engineRange11.0.0–11.3.1

oracleinsurance_calculation_engineMatch10.1.1

oracleinsurance_calculation_engineMatch10.2

oracleinsurance_calculation_engineMatch10.2.1

oracleinsurance_rules_paletteMatch10.0

oracleinsurance_rules_paletteMatch10.1

oracleinsurance_rules_paletteMatch10.2

oracleinsurance_rules_paletteMatch11.0

oracleinsurance_rules_paletteMatch11.1

oracleprimavera_gatewayMatch15.2

oracleprimavera_gatewayMatch16.2

oracleprimavera_gatewayMatch17.12

oraclerapid_planningMatch12.1

oraclerapid_planningMatch12.2

oracleretail_back_officeMatch14.0

oracleretail_back_officeMatch14.1

oracleretail_central_officeMatch14.0

oracleretail_central_officeMatch14.1

oracleretail_customer_insightsMatch15.0

oracleretail_customer_insightsMatch16.0

oracleretail_integration_busMatch14.0.1

oracleretail_integration_busMatch14.0.2

oracleretail_integration_busMatch14.0.3

oracleretail_integration_busMatch14.0.4

oracleretail_integration_busMatch14.1.1

oracleretail_integration_busMatch14.1.2

oracleretail_integration_busMatch14.1.3

oracleretail_integration_busMatch15.0.0.1

oracleretail_integration_busMatch15.0.1

oracleretail_integration_busMatch15.0.2

oracleretail_integration_busMatch16.0

oracleretail_integration_busMatch16.0.1

oracleretail_integration_busMatch16.0.2

oracleretail_open_commerce_platformMatch5.3.0

oracleretail_open_commerce_platformMatch6.0.0

oracleretail_open_commerce_platformMatch6.0.1

oracleretail_order_brokerMatch5.1

oracleretail_order_brokerMatch5.2

oracleretail_order_brokerMatch15.0

oracleretail_order_brokerMatch16.0

oracleretail_point-of-saleMatch14.0

oracleretail_point-of-saleMatch14.1

oracleretail_predictive_application_serverMatch14.0

oracleretail_predictive_application_serverMatch14.1

oracleretail_predictive_application_serverMatch15.0

oracleretail_predictive_application_serverMatch16.0

oracleretail_returns_managementMatch14.0

oracleretail_returns_managementMatch14.1

oracleretail_xstore_point_of_serviceMatch7.1

oracleservice_architecture_leveraging_tuxedoMatch12.1.3.0.0

oracleservice_architecture_leveraging_tuxedoMatch12.2.2.0.0

oracletape_library_acslsMatch8.4

VendorProductVersionCPE
vmwarespring_framework*cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
oracleapplication_testing_suite12.5.0.3cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
oracleapplication_testing_suite13.1.0.1cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
oracleapplication_testing_suite13.2.0.1cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
oracleapplication_testing_suite13.3.0.1cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
oraclebig_data_discovery1.6.0cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*
oraclecommunications_converged_application_server*cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*
oraclecommunications_diameter_signaling_router*cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
oraclecommunications_performance_intelligence_center*cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*
oraclecommunications_policy_management12.5.0cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	spring_framework	*	cpe:2.3:a:vmware:spring_framework::::::::
oracle	application_testing_suite	12.5.0.3	cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:::::::*
oracle	application_testing_suite	13.1.0.1	cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:::::::*
oracle	application_testing_suite	13.2.0.1	cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:::::::*
oracle	application_testing_suite	13.3.0.1	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
oracle	big_data_discovery	1.6.0	cpe:2.3:a:oracle:big_data_discovery:1.6.0:::::::*
oracle	communications_converged_application_server	*	cpe:2.3:a:oracle:communications_converged_application_server::::::::
oracle	communications_diameter_signaling_router	*	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
oracle	communications_performance_intelligence_center	*	cpe:2.3:a:oracle:communications_performance_intelligence_center::::::::
oracle	communications_policy_management	12.5.0	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*