[Japanese]

JVNDB-2014-000054

Spring Framework vulnerable to directory traversal

Overview

Spring Framework is a Java framework for developing web applications. Spring Framework contains a directory traversal vulnerability.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


GoPivotal
  • Spring Framework versions 4.0.0 through 4.0.4
  • Spring Framework versions 3.2.0 through 3.2.8

According to the developer, version 3.1.1 has been confirmed to be affected and other unsupported versions may also be affected.
Impact

A remote attacker may be able to access arbitrary files on the server.
Solution

[Update the software]
Users of 3.x should update to version 3.2.9 or later and users of 4.x should update to version 4.0.5 or later.
For more information, refer to the developer's website.
Vendor Information

GoPivotal Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV16-006 (in Japanese)
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-3578
References

  1. JVN : JVN#49154900
  2. National Vulnerability Database (NVD) : CVE-2014-3578
Revision History

  • [2014/06/13]
      Web page was published
    [2014/06/17]
      Affected Products : Product was modified
    [2014/08/14]
      CVE : CVE-ID was added
    [2014/12/05]
      Affected Products : Product version was modified
      Solution was modified
      Vendor Information : Content was added
    [2015/02/24]
      Vendor Information : Contents were added
      References : Content was added
    [2015/05/11]
      Vendor Information : Content was added
    [2016/06/23]
      Vendor Information : Content was added