var-201805-1189
Vulnerability from variot

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. Spring Framework Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Spring Framework is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial-of-service condition; denying service to legitimate users. Spring Framework 5.0 through 5.0.5 and 4.3 through 4.3.16 are vulnerable; other versions are also affected. Pivotal Spring Framework is an open source Java and Java EE application framework developed by Pivotal Software in the United States. The framework helps developers build high-quality applications. Description:

Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. For further information, refer to the Release Notes linked to in the References section.

Security Fix(es):

  • spring-messaging: ReDoS Attack with spring-messaging (CVE-2018-1257)

  • spring-data: XXE with Spring Dataas XMLBeam integration (CVE-2018-1259)

  • spring-security-oauth2: Remote Code Execution with spring-security-oauth2 (CVE-2018-1260)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):

1578578 - CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging 1578902 - CVE-2018-1259 spring-data-commons: XXE with Spring Dataas XMLBeam integration 1584376 - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process

  1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

===================================================================== Red Hat Security Advisory

Synopsis: Important: Red Hat Fuse 7.2 security update Advisory ID: RHSA-2018:3768-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2018:3768 Issue date: 2018-12-04 CVE Names: CVE-2016-5002 CVE-2016-5003 CVE-2017-12196 CVE-2018-1257 CVE-2018-1259 CVE-2018-1288 CVE-2018-1336 CVE-2018-8014 CVE-2018-8018 CVE-2018-8039 CVE-2018-8041 CVE-2018-12537 =====================================================================

  1. Summary:

An update is now available for Red Hat Fuse.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

  1. Description:

Red Hat Fuse enables integration experts, application developers, and business users to collaborate and independently develop connected solutions.

Fuse is part of an agile integration solution. Its distributed approach allows teams to deploy integrated services where required. The API-centric, container-based architecture decouples services so they can be created, extended, and deployed independently.

This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse 7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003)

  • tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)

  • ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint (CVE-2018-8018)

  • apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039)

  • xmlrpc: XML external entity vulnerability SSRF via a crafted DTD (CVE-2016-5002)

  • undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  • spring-data-commons: XXE with Spring Dataas XMLBeam integration (CVE-2018-1259)

  • kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass (CVE-2018-1288)

  • tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)

  • camel-mail: path traversal vulnerability (CVE-2018-8041)

  • vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers (CVE-2018-12537)

  • spring-framework: ReDoS Attack with spring-messaging (CVE-2018-1257)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Eedo Shapira (GE Digital) for reporting CVE-2018-8041. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).

  1. Solution:

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Installation instructions are located in the download section of the customer portal.

The References section of this erratum contains a download link (you must log in to download the update).

  1. Bugs fixed (https://bugzilla.redhat.com/):

1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication 1508110 - CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD 1508123 - CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through tag 1578578 - CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging 1578902 - CVE-2018-1259 spring-data-commons: XXE with Spring Dataas XMLBeam integration 1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins 1591072 - CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers 1595332 - CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* 1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS 1607731 - CVE-2018-8018 ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint 1611059 - CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass 1612644 - CVE-2018-8041 camel-mail: path traversal vulnerability

  1. References:

https://access.redhat.com/security/cve/CVE-2016-5002 https://access.redhat.com/security/cve/CVE-2016-5003 https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2018-1257 https://access.redhat.com/security/cve/CVE-2018-1259 https://access.redhat.com/security/cve/CVE-2018-1288 https://access.redhat.com/security/cve/CVE-2018-1336 https://access.redhat.com/security/cve/CVE-2018-8014 https://access.redhat.com/security/cve/CVE-2018-8018 https://access.redhat.com/security/cve/CVE-2018-8039 https://access.redhat.com/security/cve/CVE-2018-8041 https://access.redhat.com/security/cve/CVE-2018-12537 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.2.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/ https://access.redhat.com/articles/2939351

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIVAwUBXAakytzjgjWX9erEAQgDkw//Wb1MeuX1VOUq4u9qkgtp3ECPTAR3GE8B RWHYBguzM+WJrDPTtgH1sy1BstIEPgVooQLTKWhZYtJpR64S5T6YAv+aFh1vA7qI 87GDERqiATIm3l8qKBBOF02FukP9ywkaH5hR+pT7tM2OuN8iZ4dvKl0Rdzs6vnhF Ea+qVCKeQlyn88HUUqYw51nBX7tbK0H1RuG7DxlU93LBYqymMIZ90KhcGeuvNPu/ BVk7xMDtbdPSagSBy5WFpTvZ/ozeYBmO7u8p9l67SiD3obR6Rtn83B3DKvL/AFP4 ahKlIrK62hk2qgXrpLQ9aVUwBMZ1Lqu99LelF20hRt38L7qy/EXtD+Xdt0H9Xl/H bcLyRvjq8pOjdrdqAvnfI5HBDdSZrxujYX9t6egoQg3wFuS9h0DbKFMXSKMSaW2S WlP4L5zbCTvhPy3mIPOECKDxP8Xa2g2HnqCal2PpHIXGVBvD0CTuxI0b7a6WKKYf dbhm5uIEhdoS/vSuHntq+o+3IzlhRNHKx2Uh+03arWYyj4N26bbKFB+v+7gjL2e9 1ITf4HXEUphym5PY0R1GGc2Xr5Xc8BjV8xX3pgvI8FcRov4XGsS37TYpvNxPmTCA e4VB2C4WS+AFhk1QJR7cNuACwUxjarIoKUp1CX5gvqu35pVgxR97KxoblGdMtR9g UOgTm4iHIhQ= =RCpd -----END PGP SIGNATURE-----

-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201805-1189",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "openshift",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "redhat",
        "version": null
      },
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.0.3.0"
      },
      {
        "model": "goldengate for big data",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.0.1"
      },
      {
        "model": "primavera gateway",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.2"
      },
      {
        "model": "communications unified inventory management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.3.5"
      },
      {
        "model": "insurance calculation engine",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2"
      },
      {
        "model": "big data discovery",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "1.6.0"
      },
      {
        "model": "retail open commerce platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "6.0.0"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "communications unified inventory management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.3.4"
      },
      {
        "model": "goldengate for big data",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.3.1.1"
      },
      {
        "model": "enterprise manager base platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.2.0.0.0"
      },
      {
        "model": "application testing suite",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.1.0.1"
      },
      {
        "model": "hospitality guest access",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.2.1"
      },
      {
        "model": "retail order broker",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "5.2"
      },
      {
        "model": "spring framework",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "vmware",
        "version": "5.0.0"
      },
      {
        "model": "utilities network management system",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "1.12.0.3"
      },
      {
        "model": "endeca information discovery integrator",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.1.0"
      },
      {
        "model": "enterprise manager for mysql database",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.2"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.1"
      },
      {
        "model": "retail open commerce platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "5.3.0"
      },
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "2.0.0.0"
      },
      {
        "model": "retail order broker",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "tape library acsls",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.4"
      },
      {
        "model": "retail order broker",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "5.1"
      },
      {
        "model": "communications performance intelligence center",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2.1"
      },
      {
        "model": "primavera gateway",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "17.12"
      },
      {
        "model": "endeca information discovery integrator",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.2.0"
      },
      {
        "model": "communications diameter signaling router",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "service architecture leveraging tuxedo",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.2.0.0"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.1"
      },
      {
        "model": "application testing suite",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.2.0.1"
      },
      {
        "model": "insurance calculation engine",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2.1"
      },
      {
        "model": "service architecture leveraging tuxedo",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.1.3.0.0"
      },
      {
        "model": "healthcare master person index",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "spring framework",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "vmware",
        "version": "4.3.17"
      },
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.1.0.0"
      },
      {
        "model": "agile product lifecycle management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "9.3.6"
      },
      {
        "model": "retail customer insights",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "agile product lifecycle management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "9.3.4"
      },
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "2.2.0.1"
      },
      {
        "model": "goldengate for big data",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.3.2.1"
      },
      {
        "model": "agile product lifecycle management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "9.3.5"
      },
      {
        "model": "insurance calculation engine",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.1.1"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.1"
      },
      {
        "model": "application testing suite",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.3.0.1"
      },
      {
        "model": "communications unified inventory management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.3.2"
      },
      {
        "model": "hospitality guest access",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.2.0"
      },
      {
        "model": "retail order broker",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "communications services gatekeeper",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "6.1.0.4.0"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.0"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.1.3.0"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.2"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.1.3.0.0"
      },
      {
        "model": "communications converged application server",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.0.0.1"
      },
      {
        "model": "retail predictive application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "14.0"
      },
      {
        "model": "insurance rules palette",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.0"
      },
      {
        "model": "healthcare master person index",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.0"
      },
      {
        "model": "enterprise manager ops center",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.3.3"
      },
      {
        "model": "application testing suite",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.5.0.3"
      },
      {
        "model": "health sciences information manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "agile product lifecycle management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "9.3.3"
      },
      {
        "model": "primavera gateway",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "15.2"
      },
      {
        "model": "communications unified inventory management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.4.0"
      },
      {
        "model": "enterprise manager base platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.1.0.5.0"
      },
      {
        "model": "flexcube private banking",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.0.1.0"
      },
      {
        "model": "retail open commerce platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "6.0.1"
      },
      {
        "model": "spring framework",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "vmware",
        "version": "5.0.6"
      },
      {
        "model": "enterprise manager base platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.3.0.0.0"
      },
      {
        "model": "retail customer insights",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.3.6.0.0"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "pivotal",
        "version": "4.3.17"
      },
      {
        "model": "openshift",
        "scope": null,
        "trust": 0.8,
        "vendor": "red hat",
        "version": null
      },
      {
        "model": "spring framework",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "pivotal",
        "version": "4.3.x"
      },
      {
        "model": "spring framework",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "pivotal",
        "version": "5.0.x"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "pivotal",
        "version": "5.0.6"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "4.3"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0.1"
      },
      {
        "model": "spring framework",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "4.3.17"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0.4"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0.2"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0.3"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "4.3.15"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "4.3.14"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0.5"
      },
      {
        "model": "spring framework",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "5.0.6"
      },
      {
        "model": "spring framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "pivotal",
        "version": "4.3.16"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "104260"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:pivotal_software:spring_framework",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/a:redhat:openshift",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd.",
    "sources": [
      {
        "db": "BID",
        "id": "104260"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2018-1257",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.0,
            "id": "CVE-2018-1257",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.0,
            "id": "VHN-122542",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:N/I:N/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 2.8,
            "id": "CVE-2018-1257",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 6.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-1257",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-1257",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-1257",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-405",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-122542",
            "trust": 0.1,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-1257",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. Spring Framework Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Spring Framework is prone to a denial-of-service vulnerability. \nAttackers can exploit this issue to cause a denial-of-service condition; denying service to legitimate users. \nSpring Framework 5.0 through 5.0.5 and 4.3 through 4.3.16 are vulnerable; other versions are also affected. Pivotal Spring Framework is an open source Java and Java EE application framework developed by Pivotal Software in the United States. The framework helps developers build high-quality applications. Description:\n\nRed Hat Openshift Application Runtimes provides an application platform\nthat reduces the complexity of developing and operating applications\n(monoliths and microservices) for OpenShift as a containerized platform. For further\ninformation, refer to the Release Notes linked to in the References\nsection. \n\nSecurity Fix(es):\n\n* spring-messaging: ReDoS Attack with spring-messaging (CVE-2018-1257)\n\n* spring-data: XXE with Spring Dataas XMLBeam integration (CVE-2018-1259)\n\n* spring-security-oauth2: Remote Code Execution with spring-security-oauth2\n(CVE-2018-1260)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. Bugs fixed (https://bugzilla.redhat.com/):\n\n1578578 - CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging\n1578902 - CVE-2018-1259 spring-data-commons: XXE with Spring Dataas XMLBeam integration\n1584376 - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n                   Red Hat Security Advisory\n\nSynopsis:          Important: Red Hat Fuse 7.2 security update\nAdvisory ID:       RHSA-2018:3768-01\nProduct:           Red Hat JBoss Fuse\nAdvisory URL:      https://access.redhat.com/errata/RHSA-2018:3768\nIssue date:        2018-12-04\nCVE Names:         CVE-2016-5002 CVE-2016-5003 CVE-2017-12196 \n                   CVE-2018-1257 CVE-2018-1259 CVE-2018-1288 \n                   CVE-2018-1336 CVE-2018-8014 CVE-2018-8018 \n                   CVE-2018-8039 CVE-2018-8041 CVE-2018-12537 \n=====================================================================\n\n1. Summary:\n\nAn update is now available for Red Hat Fuse. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat Fuse enables integration experts, application developers, and\nbusiness users to collaborate and independently develop connected\nsolutions. \n\nFuse is part of an agile integration solution. Its distributed approach\nallows teams to deploy integrated services where required. The API-centric,\ncontainer-based architecture decouples services so they can be created,\nextended, and deployed independently. \n\nThis release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse\n7.1, and includes bug fixes and enhancements, which are documented in the\nRelease Notes document linked to in the References. \n\nSecurity Fix(es):\n\n* xmlrpc: Deserialization of untrusted Java object through\n\u003cex:serializable\u003e tag (CVE-2016-5003)\n\n* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)\n\n* ignite: Improper deserialization allows for code execution via\nGridClientJdkMarshaller endpoint (CVE-2018-8018)\n\n* apache-cxf: TLS hostname verification does not work correctly with\ncom.sun.net.ssl.* (CVE-2018-8039)\n\n* xmlrpc: XML external entity vulnerability SSRF via a crafted DTD\n(CVE-2016-5002)\n\n* undertow: Client can use bogus uri in Digest authentication\n(CVE-2017-12196)\n\n* spring-data-commons: XXE with Spring Dataas XMLBeam integration\n(CVE-2018-1259)\n\n* kafka: Users can perform Broker actions via crafted fetch requests,\ninterfering with data replication and causing data lass (CVE-2018-1288)\n\n* tomcat: Insecure defaults in CORS filter enable \u0027supportsCredentials\u0027 for\nall origins (CVE-2018-8014)\n\n* camel-mail: path traversal vulnerability (CVE-2018-8041)\n\n* vertx: Improper neutralization of CRLF sequences allows remote attackers\nto inject arbitrary HTTP response headers (CVE-2018-12537)\n\n* spring-framework: ReDoS Attack with spring-messaging (CVE-2018-1257)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\nRed Hat would like to thank Eedo Shapira (GE Digital) for reporting\nCVE-2018-8041. The CVE-2017-12196 issue was discovered by Jan Stourac (Red\nHat). \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nInstallation instructions are located in the download section of the\ncustomer portal. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication\n1508110 - CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD\n1508123 - CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through \u003cex:serializable\u003e tag\n1578578 - CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging\n1578902 - CVE-2018-1259 spring-data-commons: XXE with Spring Dataas XMLBeam integration\n1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable \u0027supportsCredentials\u0027 for all origins\n1591072 - CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers\n1595332 - CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*\n1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS\n1607731 - CVE-2018-8018 ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint\n1611059 - CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass\n1612644 - CVE-2018-8041 camel-mail: path traversal vulnerability\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2016-5002\nhttps://access.redhat.com/security/cve/CVE-2016-5003\nhttps://access.redhat.com/security/cve/CVE-2017-12196\nhttps://access.redhat.com/security/cve/CVE-2018-1257\nhttps://access.redhat.com/security/cve/CVE-2018-1259\nhttps://access.redhat.com/security/cve/CVE-2018-1288\nhttps://access.redhat.com/security/cve/CVE-2018-1336\nhttps://access.redhat.com/security/cve/CVE-2018-8014\nhttps://access.redhat.com/security/cve/CVE-2018-8018\nhttps://access.redhat.com/security/cve/CVE-2018-8039\nhttps://access.redhat.com/security/cve/CVE-2018-8041\nhttps://access.redhat.com/security/cve/CVE-2018-12537\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=7.2.0\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/\nhttps://access.redhat.com/articles/2939351\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2018 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXAakytzjgjWX9erEAQgDkw//Wb1MeuX1VOUq4u9qkgtp3ECPTAR3GE8B\nRWHYBguzM+WJrDPTtgH1sy1BstIEPgVooQLTKWhZYtJpR64S5T6YAv+aFh1vA7qI\n87GDERqiATIm3l8qKBBOF02FukP9ywkaH5hR+pT7tM2OuN8iZ4dvKl0Rdzs6vnhF\nEa+qVCKeQlyn88HUUqYw51nBX7tbK0H1RuG7DxlU93LBYqymMIZ90KhcGeuvNPu/\nBVk7xMDtbdPSagSBy5WFpTvZ/ozeYBmO7u8p9l67SiD3obR6Rtn83B3DKvL/AFP4\nahKlIrK62hk2qgXrpLQ9aVUwBMZ1Lqu99LelF20hRt38L7qy/EXtD+Xdt0H9Xl/H\nbcLyRvjq8pOjdrdqAvnfI5HBDdSZrxujYX9t6egoQg3wFuS9h0DbKFMXSKMSaW2S\nWlP4L5zbCTvhPy3mIPOECKDxP8Xa2g2HnqCal2PpHIXGVBvD0CTuxI0b7a6WKKYf\ndbhm5uIEhdoS/vSuHntq+o+3IzlhRNHKx2Uh+03arWYyj4N26bbKFB+v+7gjL2e9\n1ITf4HXEUphym5PY0R1GGc2Xr5Xc8BjV8xX3pgvI8FcRov4XGsS37TYpvNxPmTCA\ne4VB2C4WS+AFhk1QJR7cNuACwUxjarIoKUp1CX5gvqu35pVgxR97KxoblGdMtR9g\nUOgTm4iHIhQ=\n=RCpd\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "BID",
        "id": "104260"
      },
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "db": "PACKETSTORM",
        "id": "148079"
      },
      {
        "db": "PACKETSTORM",
        "id": "150645"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-1257",
        "trust": 3.1
      },
      {
        "db": "BID",
        "id": "104260",
        "trust": 2.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "148079",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-122542",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-1257",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "150645",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "db": "BID",
        "id": "104260"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "PACKETSTORM",
        "id": "148079"
      },
      {
        "db": "PACKETSTORM",
        "id": "150645"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "id": "VAR-201805-1189",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T20:42:50.942000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "CVE-2018-1257: ReDoS Attack with spring-messaging",
        "trust": 0.8,
        "url": "https://pivotal.io/security/cve-2018-1257"
      },
      {
        "title": "RHSA-2018:1809",
        "trust": 0.8,
        "url": "https://access.redhat.com/errata/RHSA-2018:1809"
      },
      {
        "title": "Pivotal Spring Framework Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80032"
      },
      {
        "title": "Red Hat: Important: Red Hat OpenShift Application Runtimes Spring Boot security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20181809 - Security Advisory"
      },
      {
        "title": "Red Hat: CVE-2018-1257",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2018-1257"
      },
      {
        "title": "Red Hat: Important: Red Hat Fuse 7.2 security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20183768 - Security Advisory"
      },
      {
        "title": "Oracle: Oracle Critical Patch Update Advisory - January 2019",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=f655264a6935505d167bbf45f409a57b"
      },
      {
        "title": "Oracle: Oracle Critical Patch Update Advisory - October 2018",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=81c63752a6f26433af2128b2e8c02385"
      },
      {
        "title": "IBM: Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=3dea47d76eee003a50f853f241578c37"
      },
      {
        "title": "cybsec",
        "trust": 0.1,
        "url": "https://github.com/ilmari666/cybsec "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-20",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://www.securityfocus.com/bid/104260"
      },
      {
        "trust": 2.1,
        "url": "https://pivotal.io/security/cve-2018-1257"
      },
      {
        "trust": 2.0,
        "url": "https://access.redhat.com/errata/rhsa-2018:1809"
      },
      {
        "trust": 1.9,
        "url": "https://access.redhat.com/errata/rhsa-2018:3768"
      },
      {
        "trust": 1.8,
        "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
      },
      {
        "trust": 1.0,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1257"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1257"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-guardium-data-encryption-gde-3/"
      },
      {
        "trust": 0.3,
        "url": "http://pivotal.io/"
      },
      {
        "trust": 0.2,
        "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2018-1259"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1259"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2018-1257"
      },
      {
        "trust": 0.2,
        "url": "https://bugzilla.redhat.com/):"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/team/contact/"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/ilmari666/cybsec"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/viewalert.x?alertid=57884"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=catrhoar.spring.boot\u0026downloadtype=distributions\u0026version=1.5.13"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-1260"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1260"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-8018"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2016-5003"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-12537"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-8014"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=jboss.fuse\u0026downloadtype=distributions\u0026version=7.2.0"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-8041"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1288"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2016-5002"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-1336"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-5002"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-5003"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-12196"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-8039"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-8018"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-8039"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-1288"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12537"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/articles/2939351"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1336"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-8014"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-8041"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2017-12196"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "db": "BID",
        "id": "104260"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "PACKETSTORM",
        "id": "148079"
      },
      {
        "db": "PACKETSTORM",
        "id": "150645"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "db": "BID",
        "id": "104260"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "db": "PACKETSTORM",
        "id": "148079"
      },
      {
        "db": "PACKETSTORM",
        "id": "150645"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-05-11T00:00:00",
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "date": "2018-05-11T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "date": "2018-05-09T00:00:00",
        "db": "BID",
        "id": "104260"
      },
      {
        "date": "2018-07-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "date": "2018-06-07T15:16:13",
        "db": "PACKETSTORM",
        "id": "148079"
      },
      {
        "date": "2018-12-06T02:15:34",
        "db": "PACKETSTORM",
        "id": "150645"
      },
      {
        "date": "2018-05-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "date": "2018-05-11T20:29:00.213000",
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-08-24T00:00:00",
        "db": "VULHUB",
        "id": "VHN-122542"
      },
      {
        "date": "2022-06-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-1257"
      },
      {
        "date": "2018-05-09T00:00:00",
        "db": "BID",
        "id": "104260"
      },
      {
        "date": "2018-07-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      },
      {
        "date": "2021-10-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      },
      {
        "date": "2024-11-21T03:59:28.767000",
        "db": "NVD",
        "id": "CVE-2018-1257"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Spring Framework Input validation vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-005091"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Input Validation Error",
    "sources": [
      {
        "db": "BID",
        "id": "104260"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-405"
      }
    ],
    "trust": 0.9
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.