Описание
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Отчет
From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact when JSONP is used in certain circumstances. Given the libraries themselves are not used in a vulnerable way, being only used as part of tests, no package update to mitigate this flaw for Open Daylight is required. The package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists.
Меры по смягчению последствий
According to the upstream advisory, this vulnerability only applies to applications that do all of the following:
- Explicitly configure MappingJackson2JsonView.
- Do not set the jsonpParameterNames property of MappingJackson2JsonView to an empty set.
- Expose sensitive user information over endpoints that can render content with JSONP.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | springframework | Not affected | ||
| Red Hat JBoss BRMS 5 | springframework | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | springframework | Out of support scope | ||
| Red Hat JBoss Fuse 6 | springframework | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | springframework | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | springframework | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 11 (Ocata) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3 ...
Moderate severity vulnerability that affects org.springframework:spring-core
Уязвимость программной платформы Spring Framework, связанная с ошибками в настройках безопасности, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации
EPSS
3.7 Low
CVSS3