{"containers": {"cna": {"affected": [{"product": "Spring Framework", "vendor": "Pivotal", "versions": [{"lessThan": "5.0.7", "status": "affected", "version": "5.0.x", "versionType": "custom"}, {"lessThan": "4.3.18", "status": "affected", "version": "4.3.x", "versionType": "custom"}]}], "datePublic": "2018-06-14T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the \"jsonp\" and \"callback\" JSONP parameters, enabling cross-domain requests."}], "problemTypes": [{"descriptions": [{"description": "JSONP enabled by default in MappingJackson2JsonView", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T10:37:57.000Z", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2018-11040"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2018-06-14T04:00:00.000Z", "ID": "CVE-2018-11040", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Framework", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "5.0.x", "version_value": "5.0.7"}, {"affected": "<", "version_affected": "<", "version_name": "4.3.x", "version_value": "4.3.18"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the \"jsonp\" and \"callback\" JSONP parameters, enabling cross-domain requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "JSONP enabled by default in MappingJackson2JsonView"}]}]}, "references": {"reference_data": [{"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "refsource": "CONFIRM", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "https://pivotal.io/security/cve-2018-11040", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2018-11040"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:54:36.553Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2018-11040"}, {"name": "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-11040", "datePublished": "2018-06-25T15:00:00.000Z", "dateReserved": "2018-05-14T00:00:00.000Z", "dateUpdated": "2024-09-17T02:06:00.434Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D3891F0-7BAE-45DD-992E-57DACE8ADEFE", "versionEndExcluding": "4.3.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "8331CA8D-B3F4-4999-8E1C-E2AA9C834CAD", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "F8C893E4-1D3A-4687-BE5A-D26FFEBCCC78", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "18260EE8-9BC0-4BA1-9642-90FE052E8B18", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "B0BB81C3-29FD-4AE0-8D46-456FAF135F6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "17EA8B91-7634-4636-B647-1049BA7CA088", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B4DF46F-DBCC-41F2-A260-F83A14838F23", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "10F17843-32EA-4C31-B65C-F424447BEF7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A125E817-F974-4509-872C-B71933F42AD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABD748C9-24F6-4739-9772-208B98616EE2", "versionEndIncluding": "7.3.6", "versionStartIncluding": "7.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*", "matchCriteriaId": "15817206-C2AD-47B7-B40F-85BB36DB4E78", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", "matchCriteriaId": "97C1FA4C-5163-420C-A01A-EA36F1039BBB", "versionEndExcluding": "6.1.0.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "1B58BCDA-E173-4D4A-A9C5-E9BFF7E57F58", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "539DA24F-E3E0-4455-84C6-A9D96CD601B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8B65CD29-C729-42AC-925E-014BA19581E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "7E856B4A-6AE7-4317-921A-35B4D2048652", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager:13.2:*:*:*:*:mysql:*:*", "matchCriteriaId": "5A4FDBC7-FFB4-446F-85F8-79C9A5393648", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "ADEA6A93-BD78-47DC-B3C3-6D27239C6647", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E5104F0A-CD23-4A6E-AD59-B6F5A949B006", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "350DFE94-C24A-40FE-98F8-246D5B7F9D83", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "499A382A-8183-4080-8D48-0E00D5E44EE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "81C24CC1-850E-4BB2-9B50-ABE61984451E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2A699D02-296B-411E-9658-5893240605D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7036576C-2B1F-413D-B154-2DBF9BFDE7E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "E08D4207-DB46-42D6-A8C9-1BE857483B88", "versionEndIncluding": "11.3.1", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "DB6321F8-7A0A-4DB8-9889-3527023C652A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*", "matchCriteriaId": "02867DC7-E669-43C0-ACC4-E1CAA8B9994C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "98EE20FD-3D21-4E23-95B8-7BD13816EB95", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A94B32D-6B5F-4E42-8345-4F9126A89435", "versionEndIncluding": "3.4.9.4237", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CBB28B5-032D-404C-B555-128457AA4C4A", "versionEndIncluding": "4.0.6.5281", "versionStartIncluding": "3.4.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A45E70E-A57B-4DDE-A419-C7D8E45DEEEE", "versionEndIncluding": "8.0.2.8191", "versionStartIncluding": "4.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:product_lifecycle_management:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "F6660A17-D819-4930-936D-B9D06834B885", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "517E0654-F1DE-43C4-90B5-FB90CA31734B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "FE91D517-D85D-4A8D-90DC-4561BBF8670E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "AD4AB77A-E829-4603-AF6A-97B9CD0D687F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "6DE15D64-6F49-4F43-8079-0C7827384C86", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "B05A34B4-A853-456C-BD56-3B3FD6397424", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*", "matchCriteriaId": "6A17D989-66AC-4A17-AB4D-E0EC045FB457", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*", "matchCriteriaId": "14285308-8564-4858-8D31-E40E57B27390", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.100:*:*:*:*:*:*:*", "matchCriteriaId": "A1C4C280-B319-411B-8510-9B5319E6D312", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "21973CDD-D16E-4321-9F8E-67F4264D7C21", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:16.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "CA3D85CE-DAE9-418A-AA94-779546C0D245", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "EE188B12-D28E-490C-9948-F5305A7D55BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the \"jsonp\" and \"callback\" JSONP parameters, enabling cross-domain requests."}, {"lang": "es", "value": "Spring Framework, en versiones 5.0.x anteriores a la 5.0.7 y versiones 4.3.x anteriores a la 4.3.18 y versiones anteriores sin soporte, permite que las aplicaciones web habiliten peticiones de dominio cruzado mediante JSONP (JSON with Padding) mediante AbstractJsonpResponseBodyAdvice para controladores REST y MappingJackson2JsonView para las peticiones del navegador. Ninguna de las dos est\u00e1 habilitada por defecto en Spring Framework o Spring Boot. Sin embargo, cuando MappingJackson2JsonView est\u00e1 configurado en una aplicaci\u00f3n, el soporte para JSONP est\u00e1 autom\u00e1ticamente listo para ser empleado mediante los par\u00e1metros JSONP \"jsonp\" y \"callback\", lo que habilita peticiones de dominio cruzado."}], "id": "CVE-2018-11040", "lastModified": "2024-11-21T03:42:32.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-25T15:29:00.363", "references": [{"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"}, {"source": "security_alert@emc.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-11040"}, {"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"}, {"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"source": "security_alert@emc.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-11040"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "springframework: cross-domain requests via JSONP through AbstractJsonpResponseBodyAdvice", "id": "1591931", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591931"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the \"jsonp\" and \"callback\" JSONP parameters, enabling cross-domain requests."], "mitigation": {"lang": "en:us", "value": "According to the upstream advisory, this vulnerability only applies to applications that do all of the following:\n* Explicitly configure MappingJackson2JsonView.\n* Do not set the jsonpParameterNames property of MappingJackson2JsonView to an empty set.\n* Expose sensitive user information over endpoints that can render content with JSONP."}, "name": "CVE-2018-11040", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "springframework", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "springframework", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "springframework", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "springframework", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "springframework", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Out of support scope", "package_name": "springframework", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhevm-dependencies", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "rhvm-dependencies", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-06-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-11040\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-11040"], "statement": "From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions (\"older unsupported versions\"), this flaw only has impact when JSONP is used in certain circumstances. Given the libraries themselves are not used in a vulnerable way, being only used as part of tests, no package update to mitigate this flaw for Open Daylight is required.\nThe package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists.", "threat_severity": "Low"}

{}