Home > Vulnerability Database > CVE-2018-11039

Mend.io Vulnerability Database

CVE-2018-11039

Good to know:

Date: June 25, 2018

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Language: Java

Severity Score

5.9

Related Resources (21)

Url: https://github.com/spring-projects/spring-framework/commit/323ccf99e575343f63d56e229c25c35c170b7ec1

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Url: https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html

Url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Url: https://github.com/spring-projects/spring-framework/commit/dac97f1b7dac3e70ff603fb6fc9f205b95dd6b01

Url: http://www.securityfocus.com/bid/107984

Url: https://spring.io/security/cve-2018-11039

Url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Url: https://github.com/spring-projects/spring-framework

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-11039

Url: https://github.com/spring-projects/spring-framework/issues/21376

Url: https://github.com/spring-projects/spring-framework/commit/a5cd01a4c857aaaba7ccc51545fc73dd25b5cba5

Url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Url: https://github.com/spring-projects/spring-framework/commit/f64fa3dea10af125d612d3a997aece93d21bc875

Url: https://www.oracle.com/security-alerts/cpujul2020.html

Url: https://www.oracle.com/security-alerts/cpujan2020.html

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://pivotal.io/security/cve-2018-11039

Url: https://github.com/spring-projects/spring-framework/commit/f2694a8ed93f1f63f87ce45d0bb638478b426acd

Url: https://github.com/advisories/GHSA-9gcm-f4x3-8jpw

Url: https://www.mend.io/vulnerability-database/CVE-2018-11039

Severity Score

5.9

Weakness Type (CWE)

Input Validation

CWE-20

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-web:5.0.7.RELEASE,4.3.18.RELEASE

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-11039

Good to know:

Date: June 25, 2018

Language: Java

Severity Score

Related Resources (21)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?