Podatność CVE-2018-11040


Publikacja: 2018-06-25

Opis:
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Typ:

CWE-829

(Inclusion of Functionality from Untrusted Control Sphere)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
4.3/10
2.9/10
8.6/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Średnia
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Brak
Brak
Affected software
Pivotal software -> Spring framework 
Oracle -> Utilities network management system 
Oracle -> Weblogic server 
Oracle -> Agile product lifecycle management 
Oracle -> Application testing suite 
Oracle -> Communications unified inventory management 
Oracle -> Endeca information discovery integrator 
Oracle -> Enterprise manager 
Oracle -> Enterprise manager ops center 
Oracle -> Flexcube private banking 
Oracle -> Healthcare master person index 
Oracle -> Hospitality guest access 
Oracle -> Insurance rules palette 
Oracle -> Micros lucas 
Oracle -> Mysql enterprise monitor 
Oracle -> Product lifecycle management 
Oracle -> Retail customer insights 

 Referencje:
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://pivotal.io/security/cve-2018-11040
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Copyright 2021, cxsecurity.com

 

Back to Top