Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-04-11T13:00:00Z

Updated: 2024-09-17T02:43:01.710Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1275

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-04-11T13:29:00.353

Modified: 2023-11-07T02:55:54.387

Link: CVE-2018-1275

cve-icon Redhat

Severity : Critical

Publid Date: 2018-04-09T19:00:00Z

Links: CVE-2018-1275 - Bugzilla