Spring Framework vulnerable to directory traversal


Spring Framework is a Java framework for developing web applications. Spring Framework contains a directory traversal vulnerability.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products

  • Spring Framework versions 4.0.0 through 4.0.4
  • Spring Framework versions 3.2.0 through 3.2.8

According to the developer, version 3.1.1 has been confirmed to be affected and other unsupported versions may also be affected.

A remote attacker may be able to access arbitrary files on the server.

[Update the software]
Users of 3.x should update to version 3.2.9 or later and users of 4.x should update to version 4.0.5 or later.
For more information, refer to the developer's website.
Vendor Information

GoPivotal Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV16-006 (in Japanese)
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-3578

  1. JVN : JVN#49154900
  2. National Vulnerability Database (NVD) : CVE-2014-3578
Revision History

  Web page was published
  Affected Products : Product was modified
  CVE : CVE-ID was added
  Affected Products : Product version was modified
  Solution was modified
  Vendor Information : Content was added
  Vendor Information : Contents were added
  References : Content was added
  Vendor Information : Content was added
  Vendor Information : Content was added