FKIE_CVE-2018-11039

Vulnerability from fkie_nvd - Published: 2018-06-25 15:29 - Updated: 2024-11-21 03:42
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
References
security_alert@emc.comhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
security_alert@emc.comhttp://www.securityfocus.com/bid/107984Broken Link, Third Party Advisory, VDB Entry
security_alert@emc.comhttps://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing List, Third Party Advisory
security_alert@emc.comhttps://pivotal.io/security/cve-2018-11039Mitigation, Vendor Advisory
security_alert@emc.comhttps://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
security_alert@emc.comhttps://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
security_alert@emc.comhttps://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
security_alert@emc.comhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
security_alert@emc.comhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
security_alert@emc.comhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/107984Broken Link, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://pivotal.io/security/cve-2018-11039Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
Impacted products
Vendor Product Version
vmware spring_framework *
vmware spring_framework *
oracle agile_plm 9.3.3
oracle agile_plm 9.3.4
oracle agile_plm 9.3.5
oracle agile_plm 9.3.6
oracle application_testing_suite 12.5.0.3
oracle application_testing_suite 13.1.0.1
oracle application_testing_suite 13.2.0.1
oracle application_testing_suite 13.3.0.1
oracle communications_diameter_signaling_router *
oracle communications_network_integrity *
oracle communications_online_mediation_controller 6.1
oracle communications_performance_intelligence_center *
oracle communications_services_gatekeeper *
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.3.4
oracle communications_unified_inventory_management 7.3.5
oracle communications_unified_inventory_management 7.4.0
oracle endeca_information_discovery_integrator 3.1.0
oracle endeca_information_discovery_integrator 3.2.0
oracle enterprise_manager_base_platform 12.1.0.5.0
oracle enterprise_manager_base_platform 13.2.0.0.0
oracle enterprise_manager_base_platform 13.3.0.0.0
oracle enterprise_manager_for_mysql_database 13.2
oracle enterprise_manager_ops_center 12.3.3
oracle health_sciences_information_manager 3.0
oracle healthcare_master_person_index 3.0
oracle healthcare_master_person_index 4.0
oracle hospitality_guest_access 4.2.0
oracle hospitality_guest_access 4.2.1
oracle insurance_calculation_engine *
oracle insurance_calculation_engine 10.2
oracle insurance_rules_palette 10.0
oracle insurance_rules_palette 10.2
oracle micros_lucas 2.9.5
oracle mysql_enterprise_monitor *
oracle mysql_enterprise_monitor *
oracle mysql_enterprise_monitor *
oracle primavera_p6_enterprise_project_portfolio_management 18.8
oracle retail_advanced_inventory_planning 15.0
oracle retail_assortment_planning 14.1
oracle retail_assortment_planning 15.0
oracle retail_assortment_planning 16.0
oracle retail_clearance_optimization_engine 14.0.5
oracle retail_customer_insights 15.0
oracle retail_customer_insights 16.0
oracle retail_financial_integration 13.2
oracle retail_financial_integration 14.0
oracle retail_financial_integration 14.1
oracle retail_financial_integration 15.0
oracle retail_financial_integration 16.0
oracle retail_integration_bus 14.1.2
oracle retail_markdown_optimization 13.4.4
oracle retail_predictive_application_server 14.0.3.26
oracle retail_predictive_application_server 14.1.3.37
oracle retail_predictive_application_server 15.0.3..100
oracle retail_predictive_application_server 16.0
oracle retail_xstore_point_of_service 7.1
oracle utilities_network_management_system 1.12.0.3
oracle weblogic_server 10.3.6.0.0
oracle weblogic_server 12.1.3.0.0
oracle weblogic_server 12.2.1.3.0
debian debian_linux 9.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D3891F0-7BAE-45DD-992E-57DACE8ADEFE",
              "versionEndExcluding": "4.3.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8331CA8D-B3F4-4999-8E1C-E2AA9C834CAD",
              "versionEndExcluding": "5.0.7",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCF62B0C-A8BD-40E6-9E4E-E684F4E87ACD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "17EA8B91-7634-4636-B647-1049BA7CA088",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B4DF46F-DBCC-41F2-A260-F83A14838F23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "10F17843-32EA-4C31-B65C-F424447BEF7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A125E817-F974-4509-872C-B71933F42AD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF5A0F0D-313D-4F5C-AD6D-8C118D5CD8D8",
              "versionEndExcluding": "8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABD748C9-24F6-4739-9772-208B98616EE2",
              "versionEndIncluding": "7.3.6",
              "versionStartIncluding": "7.3.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "15817206-C2AD-47B7-B40F-85BB36DB4E78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "468931C8-C76A-4E47-BF00-185D85F719C5",
              "versionEndExcluding": "10.2.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97C1FA4C-5163-420C-A01A-EA36F1039BBB",
              "versionEndExcluding": "6.1.0.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B58BCDA-E173-4D4A-A9C5-E9BFF7E57F58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "539DA24F-E3E0-4455-84C6-A9D96CD601B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B65CD29-C729-42AC-925E-014BA19581E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E856B4A-6AE7-4317-921A-35B4D2048652",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "98F3E643-4B65-4668-BB11-C61ED54D5A53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "459B4A5F-A6BD-4A1C-B6B7-C979F005EB70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDCE0E90-495E-4437-8529-3C36441FB69D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "51C25F23-6800-48A2-881C-C2A2C3FA045C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9027528A-4FE7-4E3C-B2DF-CCCED22128F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A699D02-296B-411E-9658-5893240605D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7036576C-2B1F-413D-B154-2DBF9BFDE7E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E08D4207-DB46-42D6-A8C9-1BE857483B88",
              "versionEndIncluding": "11.3.1",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "641D134E-6C51-4DB8-8554-F6B5222EF479",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB6321F8-7A0A-4DB8-9889-3527023C652A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "02867DC7-E669-43C0-ACC4-E1CAA8B9994C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "98EE20FD-3D21-4E23-95B8-7BD13816EB95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A94B32D-6B5F-4E42-8345-4F9126A89435",
              "versionEndIncluding": "3.4.9.4237",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF71D94F-EFC5-4390-A380-AC0E5DB05516",
              "versionEndIncluding": "4.0.6.5281",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "33EFAF19-A639-47AD-9CDC-D174C91F0F00",
              "versionEndIncluding": "8.0.2.8191",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "0745445C-EC43-4091-BA7C-5105AFCC6F1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "517E0654-F1DE-43C4-90B5-FB90CA31734B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "921B7906-A20A-4313-9398-D542A4198BBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D09C6958-DD7C-4B43-B7F0-4EE65ED5B582",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BBFE031-4BD1-4501-AC62-DC0AFC2167B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE91D517-D85D-4A8D-90DC-4561BBF8670E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD4AB77A-E829-4603-AF6A-97B9CD0D687F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DE15D64-6F49-4F43-8079-0C7827384C86",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "ACB5604C-69AF-459D-A82D-8A3B78CF2655",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "655CF3AE-B649-4282-B727-8B3C5D829C40",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "53CFE454-3E73-4A88-ABEE-322139B169A8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "457C8C66-FB0C-4532-9027-8777CF42D17A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF2B9DA6-2937-4574-90DF-09FD770B23D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "20357086-0C32-44B5-A1FA-79283E88FB47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B05A34B4-A853-456C-BD56-3B3FD6397424",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A17D989-66AC-4A17-AB4D-E0EC045FB457",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*",
              "matchCriteriaId": "14285308-8564-4858-8D31-E40E57B27390",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0BBB59C-D3B4-4CA9-870B-3FB9118F3F4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "21973CDD-D16E-4321-9F8E-67F4264D7C21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE188B12-D28E-490C-9948-F5305A7D55BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40B13B7-68B3-4510-968C-6A730EB46462",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C93CC705-1F8C-4870-99E6-14BF264C3811",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack."
    },
    {
      "lang": "es",
      "value": "Spring Framework (versiones 5.0.x anteriores a la 5.0.7, versiones 4.3.x anteriores a la 4.3.18 y versiones anteriores sin soporte) permite que las aplicaciones web cambien el m\u00e9todo de petici\u00f3n HTTP a cualquier m\u00e9todo HTTP (incluyendo TRACE) utilizando HiddenHttpMethodFilter en Spring MVC. Si una aplicaci\u00f3n tiene una vulnerabilidad Cross-Site Scripting (XSS) preexistente, un usuario (o atacante) malicioso puede emplear este filtro para escalar a un ataque XST (Cross Site Tracing)."
    }
  ],
  "id": "CVE-2018-11039",
  "lastModified": "2024-11-21T03:42:32.633",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-06-25T15:29:00.317",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107984"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2018-11039"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107984"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2018-11039"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.