JVN#49154900
Spring Framework vulnerable to directory traversal
Overview
Spring Framework contains a directory traversal vulnerability.
Products Affected
- Spring Framework versions 4.0.0 through 4.0.4
- Spring Framework versions 3.2.0 through 3.2.8
According to the developer, version 3.1.1 has been confirmed to be affected and other unsupported versions may also be affected.
Description
Spring Framework is a Java framework for developing web applications. Spring Framework contains a directory traversal vulnerability.
Impact
A remote attacker may be able to access arbitrary files on the server.
Solution
Update the software
Users of 3.x should update to version 3.2.9 or later and users of 4.x should update to version 4.0.5 or later.
For more information, refer to the developer's website.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| NEC Corporation | Vulnerable | 2016/06/20 |
| Vendor | Link |
| GoPivotal, Inc. | CVE-2014-3578 Directory Traversal in Spring Framework |
| Spring Framework |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-3578 |
| JVN iPedia |
JVNDB-2014-000054 |
Update History
- 2014/06/17
- Fixed information under "Prodcuts Affected" and "Solution"
- 2014/06/18
- Fixed information under "Vulnerability Analysis by JPCERT/CC"
- 2014/08/14
- Added CVE link under "Other Information"
- 2014/12/05
- "Products Affected", "Solution" and "Vendor Status" were updated.
- 2016/06/21
- NEC Corporation update status