CVE-2014-3625 : Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Published 2014-11-20 17:50:00

Updated 2022-04-11 17:16:27

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2014-3625

Probability of exploitation activity in the next 30 days: 0.48%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-3625

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-3625

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3625

https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html

[SECURITY] [DLA 1853-1] libspring-java security update

CVEs referencing this url
http://www.pivotal.io/security/cve-2014-3625

CVE-2014-3625 Directory Traversal in Spring Framework | Security | Pivotal
Vendor Advisory
https://jira.spring.io/browse/SPR-12354

Directory traversal with static resource handling (CVE-2014-3625) [SPR-12354] · Issue #16959 · spring-projects/spring-framework · GitHub
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0236.html

RHSA-2015:0236 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-0720.html

RHSA-2015:0720 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2014-3625

Vmware » Spring Framework
Versions from including (>=) 3.0.4 and up to, including, (<=) 3.0.7
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Framework
Versions from including (>=) 4.0.0 and before (<) 4.0.8
cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Framework
Versions from including (>=) 3.2.0 and before (<) 3.2.12
cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Framework
Versions from including (>=) 4.1.0 and before (<) 4.1.2
cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Framework
Versions from including (>=) 3.1.0 and up to, including, (<=) 3.1.4
cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-3625

Exploit prediction scoring system (EPSS) score for CVE-2014-3625

CVSS scores for CVE-2014-3625

CWE ids for CVE-2014-3625

References for CVE-2014-3625

Products affected by CVE-2014-3625