Spring Framework vulnerable to directory traversal


Spring Framework is a Java framework for developing web applications. Spring Framework contains a directory traversal vulnerability.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

  • Spring Framework versions 4.0.0 through 4.0.4
  • Spring Framework versions 3.2.0 through 3.2.8

According to the developer, version 3.1.1 has been confirmed to be affected and other unsupported versions may also be affected.

A remote attacker may be able to access arbitrary files on the server.

[Update the software]
Users of 3.x should update to version 3.2.9 or later and users of 4.x should update to version 4.0.5 or later.
For more information, refer to the developer's website.
Vendor Information

GoPivotal Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV16-006 (in Japanese)
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-3578

  1. JVN : JVN#49154900
  2. National Vulnerability Database (NVD) : CVE-2014-3578
Revision History

  • [2014/06/13]
      Web page was published
      Affected Products : Product was modified
      CVE : CVE-ID was added
      Affected Products : Product version was modified
      Solution was modified
      Vendor Information : Content was added
      Vendor Information : Contents were added
      References : Content was added
      Vendor Information : Content was added
      Vendor Information : Content was added