Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-11039

Опубликовано: 25 июн. 2018
Источник: nvd
CVSS3: 5.9
CVSS2: 4.3
EPSS Низкий

Описание

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Версия до 4.3.18 (исключая)
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Версия от 5.0.0 (включая) до 5.0.7 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Версия до 8.3 (исключая)
cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*
Версия от 7.3.2 (включая) до 7.3.6 (включая)
cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*
Версия до 10.2.1 (исключая)
cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
Версия до 6.1.0.4.0 (исключая)
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*
Версия от 11.0.0 (включая) до 11.3.1 (включая)
cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Версия до 3.4.9.4237 (включая)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Версия от 4.0.0 (включая) до 4.0.6.5281 (включая)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Версия от 8.0.0 (включая) до 8.0.2.8191 (включая)
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 86%
0.02919
Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2018-11039

CVSS3: 5.9
ubuntu
почти 7 лет назад

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

redhat логотип

CVE-2018-11039

CVSS3: 3.7
redhat
около 7 лет назад

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

debian логотип

CVE-2018-11039

CVSS3: 5.9
debian
почти 7 лет назад

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior ...

github логотип

GHSA-9gcm-f4x3-8jpw

CVSS3: 5.9
github
больше 6 лет назад

Spring Framework Cross Site Tracing (XST)

fstec логотип

BDU:2019-00563

CVSS3: 5.9
fstec
почти 7 лет назад

Уязвимость реализации механизма HiddenHttpMethodFilter программной платформы Spring Framework, позволяющая нарушителю осуществить межсайтовую сценарную атаку

EPSS

Процентиль: 86%
0.02919
Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

NVD-CWE-noinfo