Page 4 of 26 results (0.004 seconds)

CVSS: 7.5EPSS: 0%CPEs: 32EXPL: 0

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. Un problema fue descubierto en Pivotal Spring Framework en versiones anteriores a 3.2.18, 4.2.x en versiones anteriores a 4.2.9 y 4.3.x en versiones anteriores a 4.3.5. Las rutas proporcionadas al ResourceServlet no fueron desinfectadas adecuadamente y como resultado expuestas a ataques de salto de directorio. It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.securityfocus.com/bid/95072 http://www.securitytracker.com/id/1040698 https://access.redhat.com/errata/RHSA-2017:3115 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://pivotal.io/security/cve-2016-9878 https://security.netapp.com/adviso • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.5EPSS: 3%CPEs: 23EXPL: 0

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. Pivotal Spring Framework en versiones anteriores a 3.2.14 y 4.x en versiones anteriores a 4.1.7 no procesa correctamente las declaraciones DTD en línea cuando DTD no está completamente desactivado, lo que permite a atacantes remotos provocar una caída de servicio (consumo de memoria y errores fuera de rango) a través de un archivo XML manipulado. A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html http://pivotal.io/security/cve-2015-3192 http://rhn.redhat.com/errata/RHSA-2016-1592.html http://rhn.redhat.com/errata/RHSA-2016-1593.html http://rhn.redhat.com/errata/RHSA-2016-2035.html http://rhn.redhat.com/errata/RHSA-2016-2036.html http://www.securityfocus.com/bid/90853 http://www.securitytracker.com/id/1036587 ht • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. Vulnerabilidad de salto de directorio en Pivotal Spring Framework 3.x anterior a 3.2.9 y 4.0 anterior a 4.0.5 permite a atacantes remotos leer ficheros arbitrarios a través de una URL arbitraria. A directory traversal flaw was found in the Spring Framework. A remote attacker could use this flaw to access arbitrary files on a server, and bypassing security restrictions that are otherwise in place. • http://jvn.jp/en/jp/JVN49154900/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054 http://pivotal.io/security/cve-2014-3578 http://rhn.redhat.com/errata/RHSA-2015-0720.html http://www.securityfocus.com/bid/68042 https://bugzilla.redhat.com/show_bug.cgi?id=1131882 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://rhn.redhat.com/errata/RHSA-2015-0234.html https://rhn.redhat.com/errata/RHSA-2015-0235.html https://access.redhat.com&#x • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. Vulnerabilidad de salto de directorio (Directory Traversal) en Pivotal Spring Framework versión 3.0.4 hasta 3.2.x anterior a 3.2.12, versión 4.0.x anterior a 4.0.8 y versión 4.1.x anterior a 4.1.2, permite a atacantes remotos leer archivos arbitrarios por medio de vectores no especificados, relacionados al manejo de recurso estático. A directory traversal flaw was found in the way the Spring Framework sanitized certain URLs. A remote attacker could use this flaw to obtain any file on the file system that was also accessible to the process in which the Spring web application was running. • http://rhn.redhat.com/errata/RHSA-2015-0236.html http://rhn.redhat.com/errata/RHSA-2015-0720.html http://www.pivotal.io/security/cve-2014-3625 https://jira.spring.io/browse/SPR-12354 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://access.redhat.com/security/cve/CVE-2014-3625 https://bugzilla.redhat.com/show_bug.cgi?id=1165936 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 8.8EPSS: 0%CPEs: 34EXPL: 0

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. Al procesar un documento XML proporcionado por el usuario, el Framework Spring, versiones de la 4.0.0 a la 4.0.4 y de la 3.0.0 a la 3.2.8 y otras versiones anteriores ya no soportadas, no desactiva por defecto la resolución de las referencias URI en una declaración DTD, lo que habilita ataques de tipo XXE. It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers. • https://pivotal.io/security/cve-2014-0225 https://access.redhat.com/security/cve/CVE-2014-0225 https://bugzilla.redhat.com/show_bug.cgi?id=1110110 • CWE-611: Improper Restriction of XML External Entity Reference •