Vulnerability CVE-2018-1272

Published: 2018-04-06

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.



CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
Exploit range
Attack complexity
Single time
Confidentiality impact
Integrity impact
Availability impact
Affected software
Pivotal software -> Spring framework 
Oracle -> Retail open commerce platform 
Oracle -> Retail order broker 
Oracle -> Application testing suite 
Oracle -> Retail point-of-sale 
Oracle -> Big data discovery 
Oracle -> Retail predictive application server 
Oracle -> Communications diameter signaling router 
Oracle -> Retail returns management 
Oracle -> Enterprise manager ops center 
Oracle -> Service architecture leveraging tuxedo 
Oracle -> Goldengate for big data 
Oracle -> Tape library acsls 
Oracle -> Health sciences information manager 
Oracle -> Healthcare master person index 
Oracle -> Insurance calculation engine 
Oracle -> Insurance rules palette 
Oracle -> Primavera gateway 
Oracle -> Retail back office 
Oracle -> Retail central office 
Oracle -> Retail customer insights 
Oracle -> Retail integration bus 


Copyright 2024,


Back to Top