ID CVE-2018-11040
Summary Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
References
Vulnerable Configurations
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.13:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.13:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.14:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.15:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.15:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.16:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.16:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:4.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:4.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone4:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone4:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone5:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:milestone5:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:5.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:5.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager:13.2:*:*:*:*:mysql:*:*
    cpe:2.3:a:oracle:enterprise_manager:13.2:*:*:*:*:mysql:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.0.25:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.0.25:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.3.7856:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.3.7856:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6.8003:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6.8003:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.8.2223:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.8.2223:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1182:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1182:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.2.1162:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.2.1162:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.4.3247:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.4.3247:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.2.4181:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.2.4181:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:product_lifecycle_management:9.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:product_lifecycle_management:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE CWE-829
CAPEC
  • Code Inclusion
    An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
  • XML Entity Linking
    An attacker creates an XML document that contains an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.
  • DTD Injection
    An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.
  • Local Code Inclusion
    The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
  • PHP Local File Inclusion
    The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
  • Remote Code Inclusion
    The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.
  • Force Use of Corrupted Files
    This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.
  • Local Execution of Code
    An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
refmap via4
confirm
misc https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Last major update 03-10-2019 - 00:03
Published 25-06-2018 - 15:29
Last modified 15-07-2020 - 03:15
Back to Top