Описание
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Отчет
From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact in the presence of an existing XSS flaw. Given there are currently no XSS flaws in the shipped versions, and the libraries themselves are not used in a vulnerable way, no package update to mitigate this flaw for Open Daylight is required. The package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists.
Меры по смягчению последствий
According to the upstream advisory, this attack applies to applications that allow the application server to handle HTTP TRACE requests, and use the HiddenHttpMethodFilter. Note that in the HiddenHttpMethodFilter is enabled by default in Spring Boot.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | springframework | Not affected | ||
| Red Hat JBoss BRMS 5 | springframework | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | springframework | Out of support scope | ||
| Red Hat JBoss Fuse 6 | springframework | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | springframework | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | springframework | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 11 (Ocata) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior ...
Уязвимость реализации механизма HiddenHttpMethodFilter программной платформы Spring Framework, позволяющая нарушителю осуществить межсайтовую сценарную атаку
EPSS
3.7 Low
CVSS3