{"id":"CVE-2016-9878","details":"An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.","aliases":["GHSA-2m8h-fgr8-2q9w"],"modified":"2026-04-10T03:55:30.531655Z","published":"2016-12-29T09:59:00.820Z","references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1040698"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2016-9878"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3115"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180419-0002/"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95072"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-framework","events":[{"introduced":"0"},{"last_affected":"abdcefb460fcbc1348ef04505a78381a2c69a643"},{"introduced":"0"},{"last_affected":"22a14c02c2fad2f7338bb66a759f325f17089612"},{"introduced":"0"},{"last_affected":"b49d801f241fb8088a5b7514db93fda32c58731c"},{"introduced":"0"},{"last_affected":"234cb84e832da30b6f53ccca4ef28043aacfcecc"},{"introduced":"0"},{"last_affected":"8b293e1be40b949b8de5d6ff7411c11416fe3d5a"},{"introduced":"0"},{"last_affected":"7482cf902106db2bff9e912cb67bdeea3adf5855"},{"introduced":"0"},{"last_affected":"fc73f6bb2c2a65fadb4a7720af95bf9850733e60"},{"introduced":"0"},{"last_affected":"015e1bec649d84d146b04e0062723c88e350e1b2"},{"introduced":"0"},{"last_affected":"f440f927198c8b4959c727aec80e9b7423a4f548"},{"introduced":"0"},{"last_affected":"5b99ee299031d331da9d4cc393ff1c24e0c8d63b"},{"introduced":"0"},{"last_affected":"28d43f886c5e387dbb496e850782274ec9176160"},{"introduced":"0"},{"last_affected":"58587159f08a5349801671b486cd781baa63cb9f"},{"introduced":"0"},{"last_affected":"1e727d65772327b5d89d89e4825e44484b6dd681"},{"introduced":"0"},{"last_affected":"30aecf3cc56c568e89e46cac0d87f280c07a847c"},{"introduced":"0"},{"last_affected":"2f9c99e5cfc97e1b8958520b5155aed06d441202"},{"introduced":"0"},{"last_affected":"a1efe4f35d067b93d6ff4b3850ae9b9d6d6f6e26"},{"introduced":"0"},{"last_affected":"0edb85c78b5844a42525705bec2901b773f844c2"},{"introduced":"0"},{"last_affected":"e3e2272a755a53863276850eb80dd5032f3cf571"},{"introduced":"0"},{"last_affected":"d802e2826a85a50b302f3da6770e6583822e2db8"},{"introduced":"0"},{"last_affected":"022f1c335755a00d947540fc307741b419bfe9ac"},{"introduced":"0"},{"last_affected":"201b2d752efc4c79b0d52d90e95dac1093520d5f"},{"introduced":"0"},{"last_affected":"8d6636aab1c2ae892bff33fe66341eda4017cbb6"},{"introduced":"0"},{"last_affected":"345570109ae2dbdafe05a4270f0c710b7d53d050"},{"introduced":"0"},{"last_affected":"137dc19fcdeee5a5edc230b39d2cc47f01624df7"},{"introduced":"0"},{"last_affected":"dd42a21f3968c165af924310fce460694803756f"},{"introduced":"0"},{"last_affected":"77c0292665bc5e61d0e5108f9cd7e066381f28d3"},{"introduced":"0"},{"last_affected":"75bf620ae7df0967965a02e54e01f47ea5fa6f8c"},{"introduced":"0"},{"last_affected":"d111af1b88b53f2589d017a7cb6d068464d9bf77"},{"introduced":"0"},{"last_affected":"a88b80195aedb70d3c351abeba8e6a0a93af339e"},{"introduced":"0"},{"last_affected":"62b8f97f0f50b1e3a930c23aa313ca10aa48498f"},{"introduced":"0"},{"last_affected":"90718ef0d958759527fa7066a7149d8151664dda"},{"introduced":"0"},{"last_affected":"330ba990490286f0d871120e44f0b9297adf0825"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"4.2.0"},{"introduced":"0"},{"last_affected":"4.3.0"},{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.2.3"},{"introduced":"0"},{"last_affected":"3.2.4"},{"introduced":"0"},{"last_affected":"3.2.5"},{"introduced":"0"},{"last_affected":"3.2.6"},{"introduced":"0"},{"last_affected":"3.2.7"},{"introduced":"0"},{"last_affected":"3.2.8"},{"introduced":"0"},{"last_affected":"3.2.9"},{"introduced":"0"},{"last_affected":"3.2.10"},{"introduced":"0"},{"last_affected":"3.2.11"},{"introduced":"0"},{"last_affected":"3.2.12"},{"introduced":"0"},{"last_affected":"3.2.13"},{"introduced":"0"},{"last_affected":"3.2.14"},{"introduced":"0"},{"last_affected":"3.2.15"},{"introduced":"0"},{"last_affected":"3.2.16"},{"introduced":"0"},{"last_affected":"3.2.17"},{"introduced":"0"},{"last_affected":"4.2.1"},{"introduced":"0"},{"last_affected":"4.2.2"},{"introduced":"0"},{"last_affected":"4.2.3"},{"introduced":"0"},{"last_affected":"4.2.4"},{"introduced":"0"},{"last_affected":"4.2.5"},{"introduced":"0"},{"last_affected":"4.2.6"},{"introduced":"0"},{"last_affected":"4.2.7"},{"introduced":"0"},{"last_affected":"4.2.8"},{"introduced":"0"},{"last_affected":"4.3.1"},{"introduced":"0"},{"last_affected":"4.3.2"},{"introduced":"0"},{"last_affected":"4.3.3"},{"introduced":"0"},{"last_affected":"4.3.4"}]}}],"versions":["v3.2.0.M1","v3.2.0.M2","v3.2.0.RC1","v3.2.0.RC2-A","v3.2.0.RELEASE","v3.2.1.RELEASE","v3.2.10.RELEASE","v3.2.11.RELEASE","v3.2.12.RELEASE","v3.2.13.RELEASE","v3.2.14.RELEASE","v3.2.15.RELEASE","v3.2.16.RELEASE","v3.2.17.RELEASE","v3.2.2.RELEASE","v3.2.3.RELEASE","v3.2.4.RELEASE","v3.2.5.RELEASE","v3.2.6.RELEASE","v3.2.7.RELEASE","v3.2.8.RELEASE","v3.2.9.RELEASE","v4.0.0.M1","v4.0.0.M2","v4.0.0.M3","v4.0.0.RC1","v4.0.0.RC2","v4.2.0.RELEASE","v4.2.1.RELEASE","v4.2.2.RELEASE","v4.2.3.RELEASE","v4.2.4.RELEASE","v4.2.5.RELEASE","v4.2.6.RELEASE","v4.2.7.RELEASE","v4.2.8.RELEASE","v4.3.0.RELEASE","v4.3.1.RELEASE","v4.3.2.RELEASE","v4.3.3.RELEASE","v4.3.4.RELEASE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9878.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}