Loading HuntDB...

CVE-2018-11040

UNKNOWN
Published 2018-06-25T15:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2018-11040. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Moderate severity vulnerability that affects org.springframework:spring-core

GHSA-f26x-pr96-vw86

Advisory Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Affected Packages

Maven org.springframework:spring-core
ECOSYSTEM: ≥5.0.0.RELEASE <5.0.7.RELEASE
Maven org.springframework:spring-core
ECOSYSTEM: ≥4.3.0.RELEASE <4.3.18.RELEASE

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Advisory provided by GitHub Security Advisory Database. Published: October 16, 2018, Modified: May 15, 2024

References

Published: 2018-06-25T15:00:00Z
Last Modified: 2024-09-17T02:06:00.434Z
Copied to clipboard!