CVE-2016-9878 — Pivotal Spring Framework Paths provided to the ResourceServlet were not properly

Description

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

How to fix CVE-2016-9878

To remediate CVE-2016-9878, upgrade the affected package to a fixed version below.

—upgrade to 4.3.5-1 or later
—upgrade to 3.2.18 or later

Is CVE-2016-9878 being exploited?

Low — EPSS is 4.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.3.5-1
from 0, < 3.2.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (18)

ADVISORYgithub.com/advisories/GHSA-2m8h-fgr8-2q9w
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-9878
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-9878
PATCHgithub.com/spring-projects/spring-framework
WEB