Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-11039

Опубликовано: 25 июн. 2018
Источник: debian

Описание

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
libspring-javafixed4.3.19-1package
libspring-javano-dsajessiepackage

Примечания

  • https://pivotal.io/security/cve-2018-11039

  • https://jira.spring.io/si/jira.issueviews:issue-html/SPR-16836/SPR-16836.html

  • https://github.com/spring-projects/spring-framework/commit/f64fa3dea10af125d612d3a997aece93d21bc875 (v5.1)

  • https://github.com/spring-projects/spring-framework/commit/a5cd01a4c857aaaba7ccc51545fc73dd25b5cba5 (v5.1)

  • https://github.com/spring-projects/spring-framework/commit/323ccf99e575343f63d56e229c25c35c170b7ec1 (v4.3.18)

Связанные уязвимости

ubuntu логотип

CVE-2018-11039

CVSS3: 5.9
ubuntu
почти 7 лет назад

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

redhat логотип

CVE-2018-11039

CVSS3: 3.7
redhat
около 7 лет назад

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

nvd логотип

CVE-2018-11039

CVSS3: 5.9
nvd
почти 7 лет назад

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

github логотип

GHSA-9gcm-f4x3-8jpw

CVSS3: 5.9
github
больше 6 лет назад

Spring Framework Cross Site Tracing (XST)

fstec логотип

BDU:2019-00563

CVSS3: 5.9
fstec
почти 7 лет назад

Уязвимость реализации механизма HiddenHttpMethodFilter программной платформы Spring Framework, позволяющая нарушителю осуществить межсайтовую сценарную атаку