ID CVE-2018-11039
Summary Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
References
Vulnerable Configurations
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.13:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.13:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.14:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.15:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.15:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.16:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.16:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone4:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone4:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone5:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone5:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.6:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
refmap via4
bid 107984
confirm
misc https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Last major update 03-10-2019 - 00:03
Published 25-06-2018 - 15:29
Last modified 15-07-2020 - 03:15
Back to Top