The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SAS SAS/INSIGHT

security bulletin CVE-2018-11039

Spring Framework: information disclosure via Cross Site Tracing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Cross Site Tracing of Spring Framework, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 15/06/2018.
Identifiers: cpuapr2019, cpujan2019, cpujul2019, cpuoct2018, CVE-2018-11039, VIGILANCE-VUL-26439.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass access restrictions to data via Cross Site Tracing of Spring Framework, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2018-1257

Spring Framework: denial of service via Spring-messaging

Synthesis of the vulnerability

An attacker can generate a fatal error via Spring-messaging of Spring Framework, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 09/05/2018.
Identifiers: cpuapr2019, cpujan2019, cpujul2019, cpuoct2018, CVE-2018-1257, VIGILANCE-VUL-26088.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error via Spring-messaging of Spring Framework, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2018-1275

Spring Framework: information disclosure via Multipart Content

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 10/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1275, VIGILANCE-VUL-25828.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2018-1272

Spring Framework: information disclosure via Multipart Content

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 06/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1272, RHSA-2018:2669-01, VIGILANCE-VUL-25785.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2018-1271

Spring Framework: directory traversal via Spring MVC

Synthesis of the vulnerability

An attacker can traverse directories via Spring MVC of Spring Framework, in order to read a file outside the service root path.
Severity: 2/4.
Creation date: 06/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1271, RHSA-2018:2669-01, VIGILANCE-VUL-25784.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can traverse directories via Spring MVC of Spring Framework, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2018-1270

Spring Framework: code execution via spring-messaging

Synthesis of the vulnerability

An attacker can use a vulnerability via spring-messaging of Spring Framework, in order to run code.
Severity: 3/4.
Creation date: 06/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1270, VIGILANCE-VUL-25783.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via spring-messaging of Spring Framework, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2016-6814

Apache Groovy: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Apache Groovy, in order to run code.
Severity: 2/4.
Creation date: 23/01/2017.
Identifiers: cpuapr2018, cpujan2018, cpujan2019, cpujul2019, cpuoct2017, CVE-2016-6814, DLA-794-1, FEDORA-2017-1ce2a05ff1, FEDORA-2017-33c8085c5d, FEDORA-2017-661dddc462, FEDORA-2017-cc0e0daf0f, RHSA-2017:0272-01, RHSA-2017:0868-01, RHSA-2017:2486-01, RHSA-2017:2596-01, VIGILANCE-VUL-21640.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability of Apache Groovy, in order to run code.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2016-9878

Spring Framework: directory traversal via ResourceServlet

Synthesis of the vulnerability

An attacker can traverse directories via ResourceServlet of Spring Framework, in order to read a file outside the service root path.
Severity: 2/4.
Creation date: 22/12/2016.
Identifiers: 1996375, 2015813, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2016-9878, DLA-1853-1, FEDORA-2016-f341d71730, RHSA-2017:3115-01, VIGILANCE-VUL-21453.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Spring Framework product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories via ResourceServlet of Spring Framework, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

security announce CVE-2016-5007

Spring Framework: privilege escalation via configuration inconsistencies

Synthesis of the vulnerability

An attacker can access to private parts of an application created with Spring Framework, in order to get sensitive information.
Severity: 2/4.
Creation date: 08/07/2016.
Revision date: 11/07/2016.
Identifiers: 2015813, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2016-5007, VIGILANCE-VUL-20049.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Spring Framework product helps to implement Web applications.

The extension module Spring Security manages access control. Spring Framework and Spring Security both use a configuration file to specify how they must handle URLs. However, there are some differences in the way these modules normalize the URL patterns. Because of this, some parts of the application that should be handled by Spring Security are directly handled by Spring Framework, which implies that access is unrestricted.

An attacker can therefore access to private parts of an application created with Spring Framework, in order to get sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2015-5211

Spring Framework: code execution via Reflected File Download

Synthesis of the vulnerability

An attacker can trigger a Reflected File Download with Spring Framework, in order to invite the victim to run malicious code.
Severity: 1/4.
Creation date: 16/10/2015.
Identifiers: CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2015-5211, DLA-1853-1, FEDORA-2015-693035254a, FEDORA-2015-9295d75400, VIGILANCE-VUL-18125.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attack of type RFD (Reflected File Download) applies on a web site with the following characteristics:
 - acceptation of urls ending with ";/file.extension" (where the extension is "bat" for example)
 - generation of a Content-Type header corresponding to a document to be saved as a file, or an empty Content-Type header
 - generation of the page body using parameters from the url (?para=content)
When these conditions are met, an attacker can invite the victim to click on a link such as:
  http://example.com/;file.bat?para=calc.exe
The victim is thus convinced to download a file coming from exemple.com, whereas his web browser with save the "file.bat" file containing the "calc.exe" line. Then, if the victim runs file.bat, the calculator is launched.

However, the HttpMessageConverter class of Spring Framework meets the conditions of a RFD attack.

An attacker can therefore trigger a Reflected File Download with Spring Framework, in order to invite the victim to run malicious code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.