Vulnerability CVE-2018-1258


Published: 2018-05-11

Description:
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

Type:

CWE-863

(Incorrect Authorization)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Pivotal software -> Spring framework 
Pivotal software -> Spring security 
Oracle -> Agile plm 
Oracle -> Retail integration bus 
Oracle -> Big data discovery 
Oracle -> Retail point-of-service 
Oracle -> Endeca information discovery integrator 
Oracle -> Retail returns management 
Oracle -> Application testing suite 
Oracle -> Enterprise manager for mysql database 
Oracle -> Weblogic server 
Oracle -> Communications diameter signaling router 
Oracle -> Enterprise manager ops center 
Oracle -> Health sciences information manager 
Oracle -> Enterprise repository 
Oracle -> Healthcare master person index 
Oracle -> Goldengate for big data 
Oracle -> Insurance calculation engine 
Oracle -> Hospitality guest access 
Oracle -> Insurance rules palette 
Oracle -> Insurance policy administration 
Oracle -> Retail customer insights 
Oracle -> Micros lucas 
Oracle -> Service architecture leveraging tuxedo 
Oracle -> Mysql enterprise monitor 
Oracle -> Tape library acsls 
Oracle -> Peoplesoft enterprise fin install 
Oracle -> Retail assortment planning 
Oracle -> Retail back office 
Oracle -> Retail central office 
Oracle -> Retail financial integration 
Netapp -> Oncommand insight 
Netapp -> Oncommand workflow automation 
Netapp -> Snapcenter 
Netapp -> Storage automation store 

 References:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/104222
http://www.securitytracker.com/id/1041888
http://www.securitytracker.com/id/1041896
https://access.redhat.com/errata/RHSA-2019:2413
https://pivotal.io/security/cve-2018-1258
https://security.netapp.com/advisory/ntap-20181018-0002/
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Copyright 2024, cxsecurity.com

 

Back to Top