{
  "threat_severity" : "Moderate",
  "public_date" : "2014-11-11T00:00:00Z",
  "bugzilla" : {
    "description" : "Framework: directory traversal flaw",
    "id" : "1165936",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1165936"
  },
  "cvss" : {
    "cvss_base_score" : "5.0",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.", "A directory traversal flaw was found in the way the Spring Framework sanitized certain URLs. A remote attacker could use this flaw to obtain any file on the file system that was also accessible to the process in which the Spring web application was running." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6.1",
    "release_date" : "2015-02-18T00:00:00Z",
    "advisory" : "RHSA-2015:0236",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.1.0"
  }, {
    "product_name" : "Red Hat JBoss BPMS 6.0",
    "release_date" : "2015-02-17T00:00:00Z",
    "advisory" : "RHSA-2015:0234",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.0",
    "package" : "spring"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.0",
    "release_date" : "2015-02-17T00:00:00Z",
    "advisory" : "RHSA-2015:0235",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.0",
    "package" : "spring"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.1",
    "release_date" : "2015-02-18T00:00:00Z",
    "advisory" : "RHSA-2015:0236",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.1.0"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6.0",
    "release_date" : "2015-03-24T00:00:00Z",
    "advisory" : "RHSA-2015:0720",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6.0",
    "package" : "spring"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Portal 5",
    "fix_state" : "Will not fix",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Portal 6",
    "fix_state" : "Affected",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3625\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3625" ],
  "name" : "CVE-2014-3625",
  "csaw" : false
}