CVE-2018-11040

Impact:
Moderate
Public Date:
2018-06-14
CWE:
CWE-79
Bugzilla:
1591931: CVE-2018-11040 springframework: cross-domain requests via JSONP through AbstractJsonpResponseBodyAdvice

The MITRE CVE dictionary describes this issue as:

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Find out more about CVE-2018-11040 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.6
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-dependencies Under investigation
Red Hat OpenStack Platform 9.0 springframework Under investigation
Red Hat OpenStack Platform 12.0 springframework Under investigation
Red Hat OpenStack Platform 11.0 (Ocata) springframework Under investigation
Red Hat OpenStack Platform 10 springframework Under investigation
Red Hat JBoss Fuse Service Works 6 springframework Under investigation
Red Hat JBoss Fuse 7 springframework Under investigation
Red Hat JBoss Fuse 6 springframework Under investigation
Red Hat JBoss Enterprise SOA Platform 5 springframework Under investigation
Red Hat JBoss Data Virtualization 6 springframework Under investigation
Red Hat JBoss BRMS 5 springframework Under investigation
Red Hat Gluster Storage 3 rhevm-dependencies Under investigation

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.