Directory traversal in Spring framework

Description

A directory traversal vulnerability was reported in the Spring framework related with static resource handling. Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.

Affected Spring versions:

  • Spring Framework 3.0.4 to 3.2.11
  • Spring Framework 4.0.0 to 4.0.7
  • Spring Framework 4.1.0 to 4.1.1
  • Other unsupported versions may also be affected

Remediation

Users of affected Spring versions should upgrade to the latest version:

  • Users of 3.2.x should upgrade to 3.2.12 or later
  • Users of 4.0.x should upgrade to 4.0.8 or later
  • Users of 4.1.x should upgrade to 4.1.2 or later

References