{ "threat_severity" : "Moderate", "public_date" : "2018-04-05T00:00:00Z", "bugzilla" : { "description" : "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", "id" : "1571050", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1571050" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack." ], "affected_release" : [ { "product_name" : "Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8", "release_date" : "2018-10-17T00:00:00Z", "advisory" : "RHSA-2018:2939", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3" }, { "product_name" : "Red Hat JBoss Fuse 7", "release_date" : "2018-09-11T00:00:00Z", "advisory" : "RHSA-2018:2669", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "spring" }, { "product_name" : "Red Hat Openshift Application Runtimes", "release_date" : "2018-05-03T00:00:00Z", "advisory" : "RHSA-2018:1320", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "springframework", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Out of support scope", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Out of support scope", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Will not fix", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Integration Service 2", "fix_state" : "Affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:fuse_integration_services:2" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Out of support scope", "package_name" : "spring", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat Mobile Application Platform 4", "fix_state" : "Not affected", "package_name" : "spring", "cpe" : "cpe:/a:redhat:mobile_application_platform:4" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 11 (Ocata)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:11" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:12" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:9" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "rhevm-dependencies", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1271\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1271\nhttps://pivotal.io/security/cve-2018-1271" ], "name" : "CVE-2018-1271", "csaw" : false }