CVE-2018-11039

Impact:
Moderate
Public Date:
2018-06-14
CWE:
CWE-648
Bugzilla:
1591929: CVE-2018-11039 springframework: Cross Site Tracing (XST) if vulnerable to XSS

The MITRE CVE dictionary describes this issue as:

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Find out more about CVE-2018-11039 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.6
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-dependencies Under investigation
Red Hat OpenStack Platform 9.0 springframework Under investigation
Red Hat OpenStack Platform 12.0 springframework Under investigation
Red Hat OpenStack Platform 11.0 (Ocata) springframework Under investigation
Red Hat OpenStack Platform 10 springframework Under investigation
Red Hat JBoss Fuse Service Works 6 springframework Under investigation
Red Hat JBoss Fuse 7 springframework Under investigation
Red Hat JBoss Fuse 6 springframework Under investigation
Red Hat JBoss Enterprise SOA Platform 5 springframework Under investigation
Red Hat JBoss Data Virtualization 6 springframework Under investigation
Red Hat JBoss BRMS 5 springframework Under investigation
Red Hat Gluster Storage 3 rhevm-dependencies Under investigation

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.