Directory traversal in Spring framework

  • A directory traversal vulnerability was reported in the Spring framework related with static resource handling. Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.

    Affected Spring versions:
    • Spring Framework 3.0.4 to 3.2.11
    • Spring Framework 4.0.0 to 4.0.7
    • Spring Framework 4.1.0 to 4.1.1
    • Other unsupported versions may also be affected
  • Users of affected Spring versions should upgrade to the latest version:
    • Users of 3.2.x should upgrade to 3.2.12 or later
    • Users of 4.0.x should upgrade to 4.0.8 or later
    • Users of 4.1.x should upgrade to 4.1.2 or later