CVE-2018-15756

Impact:
Low
Public Date:
2018-10-16
CWE:
CWE-20
Bugzilla:
1643043: CVE-2018-15756 springframework: DoS Attack via Range Requests

The MITRE CVE dictionary describes this issue as:

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Find out more about CVE-2018-15756 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 3.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-dependencies Under investigation
Red Hat OpenStack Platform 9.0 springframework Under investigation
Red Hat OpenStack Platform 12.0 springframework Under investigation
Red Hat OpenStack Platform 11.0 (Ocata) springframework Under investigation
Red Hat OpenStack Platform 10 springframework Under investigation
Red Hat JBoss Fuse Service Works 6 springframework Under investigation
Red Hat JBoss Fuse 7 springframework Under investigation
Red Hat JBoss Fuse 6 springframework Under investigation
Red Hat JBoss Enterprise SOA Platform 5 springframework Under investigation
Red Hat JBoss Data Virtualization 6 springframework Under investigation
Red Hat JBoss BRMS 5 springframework Under investigation
Red Hat Gluster Storage 3 rhevm-dependencies Under investigation

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.