CVE-2018-11039

UNKNOWN

Published 2018-06-25T15:00:00Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2018-11039. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Pivotal

Spring Framework

Affected Versions:

5.0.x 4.3.x

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Spring Framework Cross Site Tracing (XST)

GHSA-9gcm-f4x3-8jpw

Advisory Details

Affected Packages

Maven org.springframework:spring-web

ECOSYSTEM: ≥5.0.0 <5.0.7

Maven org.springframework:spring-web

ECOSYSTEM: ≥4.3.0 <4.3.18

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-11039

WEB https://github.com/spring-projects/spring-framework/issues/21376

WEB https://github.com/spring-projects/spring-framework/commit/323ccf99e575343f63d56e229c25c35c170b7ec1

WEB https://github.com/spring-projects/spring-framework/commit/a5cd01a4c857aaaba7ccc51545fc73dd25b5cba5

WEB https://github.com/spring-projects/spring-framework/commit/dac97f1b7dac3e70ff603fb6fc9f205b95dd6b01

WEB https://github.com/spring-projects/spring-framework/commit/f2694a8ed93f1f63f87ce45d0bb638478b426acd

WEB https://github.com/spring-projects/spring-framework/commit/f64fa3dea10af125d612d3a997aece93d21bc875

WEB https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

WEB https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

WEB https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

WEB https://www.oracle.com/security-alerts/cpuoct2021.html

WEB https://www.oracle.com/security-alerts/cpujul2020.html

WEB https://www.oracle.com/security-alerts/cpujan2020.html

WEB https://spring.io/security/cve-2018-11039

WEB https://pivotal.io/security/cve-2018-11039

WEB https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html

PACKAGE https://github.com/spring-projects/spring-framework

ADVISORY https://github.com/advisories/GHSA-9gcm-f4x3-8jpw

WEB http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

WEB http://www.securityfocus.com/bid/107984

Advisory provided by GitHub Security Advisory Database. Published: October 16, 2018, Modified: March 5, 2024

References

http://www.securityfocus.com/bid/107984

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://pivotal.io/security/cve-2018-11039

https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Published: 2018-06-25T15:00:00Z

Last Modified: 2024-09-16T22:08:49.057Z

Copied to clipboard!

CVE-2018-11039

Expert Analysis

Description

Available Exploits

Related News

Affected Products

Spring Framework

Affected Versions:

GitHub Security Advisories

Spring Framework Cross Site Tracing (XST)

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!