Vulnerability Name:

CVE-2016-9878 (CCN-120241)

Assigned:2016-12-29
Published:2016-12-29
Updated:2022-04-11
Summary:An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-22
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2016-9878

Source: CCN
Type: IBM Security Bulletin 2013753 (Security Guardium Big Data Intelligence)
IBM Security Guardium Big Data Intelligence (SonarG) is vulnerable to using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015813 (Security QRadar SIEM)
IBM QRadar SIEM contains vulnerable components and libraries. (CVE-2016-5007, CVE-2016-9878)

Source: CCN
Type: Oracle CPUApr2018
Oracle Critical Patch Update Advisory - April 2018

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Source: CCN
Type: Oracle CPUJan2018
Oracle Critical Patch Update Advisory - January 2018

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Source: CCN
Type: Oracle CPUJul2018
Oracle Critical Patch Update Advisory - July 2018

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: BID
Type: Third Party Advisory, VDB Entry
95072

Source: CCN
Type: BID-95072
Spring Framework CVE-2016-9878 Directory Traversal Vulnerability

Source: SECTRACK
Type: UNKNOWN
1040698

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3115

Source: XF
Type: UNKNOWN
pivotal-spring-cve20169878-dir-traversal(120241)

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update

Source: CCN
Type: Pivotal Web site
CVE-2016-9878 Directory Traversal in the Spring Framework ResourceServlet

Source: CONFIRM
Type: Vendor Advisory
https://pivotal.io/security/cve-2016-9878

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20180419-0002/

Source: CCN
Type: IBM Security Bulletin 730313 (Security Guardium)
IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability

Source: CCN
Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6570969 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Framework

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6955033 (Security Directory Integrator)
IBM Security Directory Integrator is affected by multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6984347 (Engineering Requirements Management DOORS)
IBM Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6

Source: CCN
Type: IBM Security Bulletin 7001693 (Security Directory Suite VA)
IBM Security Directory Suite is vulnerable to multiple issues

Source: MISC
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-9878

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_framework:4.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal_software:spring_framework:4.3.0:-:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal_software:spring_framework:4.2.0:-:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.17:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.16:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* (Version <= 3.2.0)
  • OR cpe:/a:vmware:spring_framework:4.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.15:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.14:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:pivotal:spring_framework:4.3.4:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:13.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:16.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_big_data_intelligence:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.5:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.bionic:def:201698780000000
    V
    		CVE-2016-9878 on Ubuntu 18.04 LTS (bionic) - low.
    2016-12-29
    oval:com.ubuntu.artful:def:20169878000
    V
    		CVE-2016-9878 on Ubuntu 17.10 (artful) - low.
    2016-12-29
    oval:com.ubuntu.trusty:def:20169878000
    V
    		CVE-2016-9878 on Ubuntu 14.04 LTS (trusty) - low.
    2016-12-29
    oval:com.ubuntu.xenial:def:201698780000000
    V
    		CVE-2016-9878 on Ubuntu 16.04 LTS (xenial) - low.
    2016-12-29
    oval:com.ubuntu.bionic:def:20169878000
    V
    		CVE-2016-9878 on Ubuntu 18.04 LTS (bionic) - low.
    2016-12-29
    oval:com.ubuntu.xenial:def:20169878000
    V
    		CVE-2016-9878 on Ubuntu 16.04 LTS (xenial) - low.
    2016-12-29
    oval:com.ubuntu.disco:def:201698780000000
    V
    		CVE-2016-9878 on Ubuntu 19.04 (disco) - low.
    2016-12-29
    oval:com.ubuntu.cosmic:def:20169878000
    V
    		CVE-2016-9878 on Ubuntu 18.10 (cosmic) - low.
    2016-12-29
    oval:com.ubuntu.cosmic:def:201698780000000
    V
    		CVE-2016-9878 on Ubuntu 18.10 (cosmic) - low.
    2016-12-29
    oval:com.ubuntu.precise:def:20169878000
    V
    		CVE-2016-9878 on Ubuntu 12.04 LTS (precise) - low.
    2016-12-29
    BACK
    vmware spring framework 4.3.1
    pivotal_software spring framework 4.3.0
    vmware spring framework 4.2.8
    vmware spring framework 4.2.1
    pivotal_software spring framework 4.2.0
    vmware spring framework 3.2.11
    vmware spring framework 3.2.10
    vmware spring framework 3.2.2
    vmware spring framework 3.2.1
    vmware spring framework 4.2.7
    vmware spring framework 4.2.6
    vmware spring framework 3.2.17
    vmware spring framework 3.2.16
    vmware spring framework 3.2.9
    vmware spring framework 3.2.8
    pivotal_software spring framework *
    vmware spring framework 4.3.4
    vmware spring framework 4.2.5
    vmware spring framework 4.2.4
    vmware spring framework 3.2.15
    vmware spring framework 3.2.14
    vmware spring framework 3.2.7
    vmware spring framework 3.2.6
    vmware spring framework 4.3.3
    vmware spring framework 4.3.2
    vmware spring framework 4.2.3
    vmware spring framework 4.2.2
    vmware spring framework 3.2.13
    vmware spring framework 3.2.12
    vmware spring framework 3.2.5
    vmware spring framework 3.2.4
    vmware spring framework 3.2.3
    pivotal spring framework 4.3.4
    ibm qradar security information and event manager 7.2
    ibm security identity governance and intelligence 5.2
    oracle retail point-of-service 14.0
    oracle retail point-of-service 14.1
    ibm security identity governance and intelligence 5.2.1
    ibm qradar security information and event manager 7.3
    oracle enterprise manager ops center 12.2.2
    oracle retail back office 14.0
    oracle retail back office 14.1
    oracle retail assortment planning 14.1.3
    oracle retail predictive application server 13.4.3
    oracle retail predictive application server 14.0.3
    oracle retail predictive application server 14.1.3
    oracle retail returns management 14.1
    oracle retail assortment planning 15.0.3
    oracle retail assortment planning 16.0.1
    ibm security guardium big data intelligence 3.1
    oracle enterprise manager ops center 12.3.3
    ibm security guardium 10.5
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    oracle retail integration bus 14.0
    oracle retail integration bus 14.1
    oracle retail integration bus 15.0
    oracle retail integration bus 16.0
    oracle retail central office 14.0
    oracle retail central office 14.1
    oracle retail returns management 14.0
    ibm security identity governance and intelligence 5.2.4
    ibm security identity governance and intelligence 5.2.4.1
    ibm sterling b2b integrator 6.0.0.0
    ibm cognos controller 10.4.0
    ibm cognos controller 10.4.1
    ibm security guardium data encryption 3.0.0.2
    ibm cognos controller 10.4.2
    ibm sterling b2b integrator 6.1.0.0
    ibm sterling b2b integrator 6.0.3.5