Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-1257

Опубликовано: 11 мая 2018
Источник: debian
EPSS Низкий

Описание

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
libspring-javafixed4.3.19-1package
libspring-javaignoredstretchpackage
libspring-javanot-affectedjessiepackage

Примечания

  • https://pivotal.io/security/cve-2018-1257

  • websocket introduced in v4 https://github.com/spring-projects/spring-framework/commit/4e67f809fbc1957e40fc787686b63254eaa8d7fa

  • https://github.com/spring-projects/spring-framework/issues/26821 (patch unidentifiable)

EPSS

Процентиль: 73%
0.00782
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2018-1257

CVSS3: 6.5
ubuntu
около 7 лет назад

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

redhat логотип

CVE-2018-1257

CVSS3: 4.8
redhat
около 7 лет назад

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

nvd логотип

CVE-2018-1257

CVSS3: 6.5
nvd
около 7 лет назад

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

github логотип

GHSA-rcpf-vj53-7h2m

CVSS3: 6.5
github
больше 6 лет назад

Denial of Service in org.springframework:spring-core

fstec логотип

BDU:2019-01761

CVSS3: 6.5
fstec
около 7 лет назад

Уязвимость программной платформы Spring Framework, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 73%
0.00782
Низкий