Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 03:42
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html - Patch, Third Party Advisory | |
References | () http://www.securityfocus.com/bid/107984 - Broken Link, Third Party Advisory, VDB Entry | |
References | () https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html - Mailing List, Third Party Advisory | |
References | () https://pivotal.io/security/cve-2018-11039 - Mitigation, Vendor Advisory | |
References | () https://www.oracle.com/security-alerts/cpujan2020.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html - Patch, Third Party Advisory |
23 Jun 2022, 16:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | |
References | (BID) http://www.securityfocus.com/bid/107984 - Broken Link, Third Party Advisory, VDB Entry |
13 Apr 2022, 14:51
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* |
|
References | (BID) http://www.securityfocus.com/bid/107984 - Broken Link | |
References | (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2020.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html - Patch, Third Party Advisory | |
References | (CONFIRM) http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html - Patch, Third Party Advisory |
20 Oct 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2018-06-25 15:29
Updated : 2024-11-21 03:42
NVD link : CVE-2018-11039
Mitre link : CVE-2018-11039
CVE.ORG link : CVE-2018-11039
JSON object : View
Products Affected
oracle
- communications_diameter_signaling_router
- communications_unified_inventory_management
- communications_online_mediation_controller
- retail_financial_integration
- mysql_enterprise_monitor
- application_testing_suite
- healthcare_master_person_index
- communications_services_gatekeeper
- insurance_rules_palette
- primavera_p6_enterprise_project_portfolio_management
- hospitality_guest_access
- retail_assortment_planning
- agile_plm
- retail_xstore_point_of_service
- micros_lucas
- retail_advanced_inventory_planning
- retail_markdown_optimization
- enterprise_manager_for_mysql_database
- weblogic_server
- retail_predictive_application_server
- communications_network_integrity
- communications_performance_intelligence_center
- enterprise_manager_base_platform
- retail_integration_bus
- insurance_calculation_engine
- endeca_information_discovery_integrator
- utilities_network_management_system
- retail_customer_insights
- enterprise_manager_ops_center
- health_sciences_information_manager
- retail_clearance_optimization_engine
vmware
- spring_framework
debian
- debian_linux
CWE