{"containers": {"cna": {"affected": [{"product": "Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5", "vendor": "n/a", "versions": [{"status": "affected", "version": "Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5"}]}], "datePublic": "2016-12-29T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks."}], "problemTypes": [{"descriptions": [{"description": "Directory Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-23T22:31:32", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "1040698", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040698"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20180419-0002/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2016-9878"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "95072", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95072"}, {"name": "RHSA-2017:3115", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:3115"}, {"name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "ID": "CVE-2016-9878", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5", "version": {"version_data": [{"version_value": "Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory Traversal"}]}]}, "references": {"reference_data": [{"name": "1040698", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040698"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"name": "https://security.netapp.com/advisory/ntap-20180419-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20180419-0002/"}, {"name": "https://pivotal.io/security/cve-2016-9878", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2016-9878"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "95072", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95072"}, {"name": "RHSA-2017:3115", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:3115"}, {"name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:07:30.827Z"}, "title": "CVE Program Container", "references": [{"name": "1040698", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1040698"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20180419-0002/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2016-9878"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "95072", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95072"}, {"name": "RHSA-2017:3115", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:3115"}, {"name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2016-9878", "datePublished": "2016-12-29T09:02:00", "dateReserved": "2016-12-06T00:00:00", "dateUpdated": "2024-08-06T03:07:30.827Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB1B0A63-180F-406F-AA21-8E008E50031F", "versionEndIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_framework:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4CA248FC-6343-4A67-BFF8-A2DC07331B46", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "4AAD5A3C-78AC-417D-8EE6-8AF7C54E80FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "D2E2EA60-735E-431E-BEFE-DC5C1046E532", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "7CC0E26F-2E8B-4B30-8C43-8BD2015EBB88", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "3CB73406-5FE4-438E-BCB7-57FBF6EC38D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "B76F06BC-F53E-4E37-B84F-3E992D459A49", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "DD8CC0CF-61DE-4E3A-80DD-4AD34EBDF419", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "09D49870-9E17-4049-9ABB-311C319A0E8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "EB9CE889-FBC5-4078-ABAC-8BC6CA235D04", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "AF34B57A-9732-44C8-9EC7-07394FB588F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "C528FEA9-2E5E-413B-89C1-F14C67059702", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "8C7EA42F-55C6-4934-8F60-98B7717188D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*", "matchCriteriaId": "E1DA44C3-D083-4584-8ACC-73B234767669", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*", "matchCriteriaId": "1D6399F2-B9D6-4097-89DB-5F4B434DFFD3", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*", "matchCriteriaId": "BD49BDC0-3431-43CF-8FF0-4A159238991B", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.15:*:*:*:*:*:*:*", "matchCriteriaId": "3F3B36EB-205A-4173-AD67-C1C42117640F", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.16:*:*:*:*:*:*:*", "matchCriteriaId": "C4302B7F-458C-43BD-A42D-D690C7884D0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.17:*:*:*:*:*:*:*", "matchCriteriaId": "0A187E52-6C33-4525-8A17-083BC9273638", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "F2DF06FD-CFEE-4B60-8058-B44569BE8BE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "06C17886-44CA-4B3E-970A-94383E9A4043", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "00BAC01A-9C49-46B0-B71F-D4940DAE2A7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "D906B4B9-4881-4A13-B4CA-60DCF1FA8840", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "C1E80958-4357-4AED-96F1-4D137F3E02BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "F3A6AB95-34DC-4A7D-B35D-1B4388EB49A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "FE93D33E-984A-4E71-A7E3-453EE0BC2064", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "6366E283-0EED-41CD-9386-CE658AD949C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "EEC9A3A7-8D93-407B-9338-7E84E0BE2A72", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "DA0BB688-AF66-4EF3-8A94-EC308E90A64C", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "DF0796B2-8B1D-40DF-B5F0-5D6082144BBF", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:4.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "FB40ED54-2193-4235-A317-DA2FEA7073AB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks."}, {"lang": "es", "value": "Un problema fue descubierto en Pivotal Spring Framework en versiones anteriores a 3.2.18, 4.2.x en versiones anteriores a 4.2.9 y 4.3.x en versiones anteriores a 4.3.5. Las rutas proporcionadas al ResourceServlet no fueron desinfectadas adecuadamente y como resultado expuestas a ataques de salto de directorio."}], "id": "CVE-2016-9878", "lastModified": "2022-04-11T17:18:31.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-29T09:59:00.820", "references": [{"source": "security_alert@emc.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"source": "security_alert@emc.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"source": "security_alert@emc.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95072"}, {"source": "security_alert@emc.com", "url": "http://www.securitytracker.com/id/1040698"}, {"source": "security_alert@emc.com", "url": "https://access.redhat.com/errata/RHSA-2017:3115"}, {"source": "security_alert@emc.com", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2016-9878"}, {"source": "security_alert@emc.com", "url": "https://security.netapp.com/advisory/ntap-20180419-0002/"}, {"source": "security_alert@emc.com", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:3115", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2017-11-02T00:00:00Z"}, {"advisory": "RHSA-2017:3115", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2017-11-02T00:00:00Z"}], "bugzilla": {"description": "Framework: Directory Traversal in the Spring Framework ResourceServlet", "id": "1408164", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1408164"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-22", "details": ["An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.", "It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. An attacker can utilize this flaw to conduct a directory traversal attacks."], "name": "CVE-2016-9878", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Not affected", "package_name": "springframework", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Under investigation", "package_name": "jasperreports-server-pro", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "karaf", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Not affected", "package_name": "springframework", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "springframework", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "spring-webmvc", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "millicore", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "activemq", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Affected", "package_name": "cartridge-amq", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Affected", "package_name": "cartridge-fuse", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Under investigation", "package_name": "jenkins", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "springframework", "product_name": "Red Hat Storage 3"}], "public_date": "2016-12-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9878\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9878\nhttps://pivotal.io/security/cve-2016-9878"], "threat_severity": "Moderate", "upstream_fix": "Spring Framework 3.2.18, Spring Framework 4.2.9, Spring Framework 4.3.5"}