{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-11-11T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-13T23:06:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.pivotal.io/security/cve-2014-3625"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jira.spring.io/browse/SPR-12354"}, {"name": "RHSA-2015:0236", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0236.html"}, {"name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3625", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2015:0720", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "http://www.pivotal.io/security/cve-2014-3625", "refsource": "CONFIRM", "url": "http://www.pivotal.io/security/cve-2014-3625"}, {"name": "https://jira.spring.io/browse/SPR-12354", "refsource": "CONFIRM", "url": "https://jira.spring.io/browse/SPR-12354"}, {"name": "RHSA-2015:0236", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0236.html"}, {"name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:50:17.833Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.pivotal.io/security/cve-2014-3625"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.spring.io/browse/SPR-12354"}, {"name": "RHSA-2015:0236", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0236.html"}, {"name": "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3625", "datePublished": "2014-11-20T17:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.833Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF9AB837-EAF8-45AC-9758-CC4357B54C66", "versionEndIncluding": "3.1.4", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF486CA6-B388-4E08-B752-5B1D92881377", "versionEndExcluding": "3.2.12", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "85B0B579-8E34-4C21-80E1-461D7A797075", "versionEndExcluding": "4.0.8", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0F7D07C-183C-4F53-AD9E-3A7E5820E6D7", "versionEndExcluding": "4.1.2", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DFC0C4B-DA2F-4F49-9132-44E89A3BD6B9", "versionEndIncluding": "3.0.7", "versionStartIncluding": "3.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio (Directory Traversal) en Pivotal Spring Framework versi\u00f3n 3.0.4 hasta 3.2.x anterior a 3.2.12, versi\u00f3n 4.0.x anterior a 4.0.8 y versi\u00f3n 4.1.x anterior a 4.1.2, permite a atacantes remotos leer archivos arbitrarios por medio de vectores no especificados, relacionados al manejo de recurso est\u00e1tico."}], "id": "CVE-2014-3625", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-11-20T17:50:00.113", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0236.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.pivotal.io/security/cve-2014-3625"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://jira.spring.io/browse/SPR-12354"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0236.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.pivotal.io/security/cve-2014-3625"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jira.spring.io/browse/SPR-12354"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:0236", "cpe": "cpe:/a:redhat:jboss_amq:6.1.0", "product_name": "Red Hat JBoss A-MQ 6.1", "release_date": "2015-02-18T00:00:00Z"}, {"advisory": "RHSA-2015:0234", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "spring", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0235", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "spring", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0236", "cpe": "cpe:/a:redhat:jboss_fuse:6.1.0", "product_name": "Red Hat JBoss Fuse 6.1", "release_date": "2015-02-18T00:00:00Z"}, {"advisory": "RHSA-2015:0720", "cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0", "package": "spring", "product_name": "Red Hat JBoss Fuse Service Works 6.0", "release_date": "2015-03-24T00:00:00Z"}], "bugzilla": {"description": "Framework: directory traversal flaw", "id": "1165936", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1165936"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.", "A directory traversal flaw was found in the way the Spring Framework sanitized certain URLs. A remote attacker could use this flaw to obtain any file on the file system that was also accessible to the process in which the Spring web application was running."], "name": "CVE-2014-3625", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "spring", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "amq-6.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Will not fix", "package_name": "spring", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Affected", "package_name": "spring", "product_name": "Red Hat JBoss Portal 6"}], "public_date": "2014-11-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3625\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3625"], "threat_severity": "Moderate"}