CVE-2016-9878

Description

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

References

Link	Tags
http://www.securitytracker.com/id/1040698	vdb entry
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
https://security.netapp.com/advisory/ntap-20180419-0002/
https://pivotal.io/security/cve-2016-9878	vendor advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.securityfocus.com/bid/95072	third party advisory vdb entry
https://access.redhat.com/errata/RHSA-2017:3115	vendor advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html	mailing list
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Frequently Asked Questions

What is the severity of CVE-2016-9878?: CVE-2016-9878 has been scored as a high severity vulnerability.
How to fix CVE-2016-9878?: To fix CVE-2016-9878, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-9878 being actively exploited in the wild?: It is possible that CVE-2016-9878 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~5% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9878?: CVE-2016-9878 affects n/a Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions