Directory Traversal with Spring MVC on Windows (CVE-2018-1271)

Recently a directory traversal vulnerability in the Spring Framework was published (CVE-2018-1271). The Spring application will only be vulnerable when it is deployed on a Microsoft Windows based operating system and the application developer uses the “file://” scheme as the path of the static resources.

Figure 1: Example of a vulnerable resource path configuration

The answer for why only applications deployed on servers based on Microsoft Windows operating systems are vulnerable can be found in the Github commit that fixes the vulnerability. We can see that the “isInvalidEncodedPath” function covered only the case of “../” directory traversal attempts, while Windows operating systems supports paths that contains backslashes, and thus “..\” will also lead to directory traversal.

Figure 2: Spring Framework’s Github commit fixing the vulnerability

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing evasion techniques in URL, "Directory Traversal” and “IIS Backslashes”.