CVE-2018-11039 - Vulnerability Details

- springframework: Cross Site Tracing (XST) if vulnerable to XSS

Description

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Published: 2018-06-25

Score: 5.9 Medium

EPSS: 2.6% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Pivotal

Spring Framework

affected

Version	Status	Constraints
`5.0.x`	affected	< 5.0.7
`4.3.x`	affected	< 4.3.18

Configuration 1 [-]

OR	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::

Configuration 2 [-]

OR	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.4:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_network_integrity::::::::
	cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:::::::*
	cpe:2.3:a:oracle:communications_performance_intelligence_center::::::::
	cpe:2.3:a:oracle:communications_services_gatekeeper::::::::
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:::::::*
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0:::::::*
	cpe:2.3:a:oracle:healthcare_master_person_index:3.0:::::::*
	cpe:2.3:a:oracle:healthcare_master_person_index:4.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
	cpe:2.3:a:oracle:insurance_calculation_engine::::::::
	cpe:2.3:a:oracle:insurance_calculation_engine:10.2:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2:::::::*
	cpe:2.3:a:oracle:micros_lucas:2.9.5:::::::*
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:::::::*
	cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:14.1:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:15.0:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:16.0:::::::*
	cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:::::::*
	cpe:2.3:a:oracle:retail_customer_insights:15.0:::::::*
	cpe:2.3:a:oracle:retail_customer_insights:16.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:13.2:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:14.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:14.1:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:15.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:16.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:14.1.2:::::::*
	cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:16.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*
	cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:::::::*
	cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-2635-1	libspring-java security update
EUVD	EUVD-2018-0561	Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Github GHSA	GHSA-9gcm-f4x3-8jpw	Spring Framework Cross Site Tracing (XST)

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.02602.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/107984
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
https://nvd.nist.gov/vuln/detail/CVE-2018-11039
https://pivotal.io/security/cve-2018-11039
https://www.cve.org/CVERecord?id=CVE-2018-11039
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

History

No history.

Subscriptions

Debian Debian Linux

Oracle Agile Plm Application Testing Suite Communications Diameter Signaling Router Communications Network Integrity Communications Online Mediation Controller Communications Performance Intelligence Center Communications Services Gatekeeper Communications Unified Inventory Management Endeca Information Discovery Integrator Enterprise Manager Base Platform Enterprise Manager For Mysql Database Enterprise Manager Ops Center Health Sciences Information Manager Healthcare Master Person Index Hospitality Guest Access Insurance Calculation Engine Insurance Rules Palette Micros Lucas Mysql Enterprise Monitor Primavera P6 Enterprise Project Portfolio Management Retail Advanced Inventory Planning Retail Assortment Planning Retail Clearance Optimization Engine Retail Customer Insights Retail Financial Integration Retail Integration Bus Retail Markdown Optimization Retail Predictive Application Server Retail Xstore Point Of Service Utilities Network Management System Weblogic Server

Vmware Spring Framework

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-06-25T15:00:00.000Z

Updated: 2024-09-16T22:08:49.057Z

Reserved: 2018-05-14T00:00:00.000Z

Link: CVE-2018-11039

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-25T15:29:00.317

Modified: 2024-11-21T03:42:32.633

Link: CVE-2018-11039

Redhat

Severity : Low

Publid Date: 2018-06-14T00:00:00Z

Links: CVE-2018-11039 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object