VDB
RHSA-2018%3A1320
RHSA-2018%3A1320
PUBLISHED
CVSS 6.5 MEDIUM
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Risk Scores
CVSS 3.0
6.5
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Openshift Application Runtimes |
Exploit Intelligence
- Apache Tomcat 安全绕过漏洞 Poc (github-poc)
- thariyarox/tomcat_CVE-2018-1304_testing (github-poc)
- knqyf263/CVE-2018-1304 (github-poc)
- cve_db.json (github-poc)
- web_poc_map_v2.yaml (github-poc)
- Nuclei Template: CVE-2018-1271 (nuclei-template)
Timeline
- May 3, 2018 CVE Published
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2018:1320 advisory
- https://access.redhat.com/security/updates/classification/#critical advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=1.5.12 advisory
- https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html/red_hat_openshift_application_runtimes_release_notes/ advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1548282 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1548289 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1564408 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1565307 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1571050 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_1320.json advisory
- https://access.redhat.com/security/cve/CVE-2018-1271 advisory
- https://www.cve.org/CVERecord?id=CVE-2018-1271 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2018-1271 advisory
- https://pivotal.io/security/cve-2018-1271 advisory
- https://access.redhat.com/security/cve/CVE-2018-1272 advisory
- https://www.cve.org/CVERecord?id=CVE-2018-1272 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2018-1272 advisory
- https://pivotal.io/security/cve-2018-1272 advisory
- https://access.redhat.com/security/cve/CVE-2018-1275 advisory
- https://www.cve.org/CVERecord?id=CVE-2018-1275 advisory
…and 10 more