CVE-2014-3625 — Improper Limitation of a Pathname to a Restricted Directory in Spring Framework

Description

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

How to fix CVE-2014-3625

To remediate CVE-2014-3625, upgrade the affected package to a fixed version below.

Debian/libspring-java—upgrade to 3.2.13-1 or later
Maven/org.springframework:spring-webmvc—upgrade to 3.2.12 or later

Is CVE-2014-3625 being exploited?

Moderate — EPSS is 17.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 3.2.13-1
>= 3.0.4, < 3.2.12

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3625
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3625
PATCHgithub.com/spring-projects/spring-framework
WEBrhn.redhat.com/errata/RHSA-2015-0236.html
WEB