CVE-2018-11039 - 漏洞详情

CVE-2018-11039 (CNNVD-201806-1191)

MEDIUM

中文标题:

Pivotal Spring Framework 安全漏洞

英文标题:

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupport...

CVSS分数: 5.9

发布时间: 2018-06-25 15:00:00

漏洞类型: 输入验证错误

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v3

漏洞描述

中文描述:

Pivotal Spring Framework是美国Pivotal Software公司的一套开源的Java、Java EE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Pivotal Spring Framework 5.0.7之前的5.0.x版本、4.3.18之前的4.3.x版本和不再支持的更早版本存在安全漏洞，该漏洞源于程序允许Web应用程序将HTTP请求方法更改成任意的HTTP方法（包括：TRACE）。攻击者可利用该漏洞实施跨站跟踪攻击。

英文描述:

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CWE类型:

（暂无数据）

受影响产品

厂商	产品	版本	版本范围	平台	CPE
Pivotal	Spring Framework	-	< 5.0.7	-	`cpe:2.3:a:pivotal:spring_framework::::::::`
vmware	spring_framework	*	-	-	`cpe:2.3:a:vmware:spring_framework::::::::`
oracle	agile_plm	9.3.3	-	-	`cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*`
oracle	agile_plm	9.3.4	-	-	`cpe:2.3:a:oracle:agile_plm:9.3.4:::::::*`
oracle	agile_plm	9.3.5	-	-	`cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*`
oracle	agile_plm	9.3.6	-	-	`cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*`
oracle	application_testing_suite	12.5.0.3	-	-	`cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:::::::*`
oracle	application_testing_suite	13.1.0.1	-	-	`cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:::::::*`
oracle	application_testing_suite	13.2.0.1	-	-	`cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:::::::*`
oracle	application_testing_suite	13.3.0.1	-	-	`cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*`
oracle	communications_diameter_signaling_router	*	-	-	`cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::`
oracle	communications_network_integrity	*	-	-	`cpe:2.3:a:oracle:communications_network_integrity::::::::`
oracle	communications_online_mediation_controller	6.1	-	-	`cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:::::::*`
oracle	communications_performance_intelligence_center	*	-	-	`cpe:2.3:a:oracle:communications_performance_intelligence_center::::::::`
oracle	communications_services_gatekeeper	*	-	-	`cpe:2.3:a:oracle:communications_services_gatekeeper::::::::`
oracle	communications_unified_inventory_management	7.3.2	-	-	`cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*`
oracle	communications_unified_inventory_management	7.3.4	-	-	`cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*`
oracle	communications_unified_inventory_management	7.3.5	-	-	`cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*`
oracle	communications_unified_inventory_management	7.4.0	-	-	`cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*`
oracle	endeca_information_discovery_integrator	3.1.0	-	-	`cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:::::::*`
oracle	endeca_information_discovery_integrator	3.2.0	-	-	`cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*`
oracle	enterprise_manager_base_platform	12.1.0.5.0	-	-	`cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*`
oracle	enterprise_manager_base_platform	13.2.0.0.0	-	-	`cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*`
oracle	enterprise_manager_base_platform	13.3.0.0.0	-	-	`cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*`
oracle	enterprise_manager_for_mysql_database	13.2	-	-	`cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:::::::*`
oracle	enterprise_manager_ops_center	12.3.3	-	-	`cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*`
oracle	health_sciences_information_manager	3.0	-	-	`cpe:2.3:a:oracle:health_sciences_information_manager:3.0:::::::*`
oracle	healthcare_master_person_index	3.0	-	-	`cpe:2.3:a:oracle:healthcare_master_person_index:3.0:::::::*`
oracle	healthcare_master_person_index	4.0	-	-	`cpe:2.3:a:oracle:healthcare_master_person_index:4.0:::::::*`
oracle	hospitality_guest_access	4.2.0	-	-	`cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*`
oracle	hospitality_guest_access	4.2.1	-	-	`cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*`
oracle	insurance_calculation_engine	*	-	-	`cpe:2.3:a:oracle:insurance_calculation_engine::::::::`
oracle	insurance_calculation_engine	10.2	-	-	`cpe:2.3:a:oracle:insurance_calculation_engine:10.2:::::::*`
oracle	insurance_rules_palette	10.0	-	-	`cpe:2.3:a:oracle:insurance_rules_palette:10.0:::::::*`
oracle	insurance_rules_palette	10.2	-	-	`cpe:2.3:a:oracle:insurance_rules_palette:10.2:::::::*`
oracle	micros_lucas	2.9.5	-	-	`cpe:2.3:a:oracle:micros_lucas:2.9.5:::::::*`
oracle	mysql_enterprise_monitor	*	-	-	`cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::`
oracle	primavera_p6_enterprise_project_portfolio_management	18.8	-	-	`cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:::::::*`
oracle	retail_advanced_inventory_planning	15.0	-	-	`cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:::::::*`
oracle	retail_assortment_planning	14.1	-	-	`cpe:2.3:a:oracle:retail_assortment_planning:14.1:::::::*`
oracle	retail_assortment_planning	15.0	-	-	`cpe:2.3:a:oracle:retail_assortment_planning:15.0:::::::*`
oracle	retail_assortment_planning	16.0	-	-	`cpe:2.3:a:oracle:retail_assortment_planning:16.0:::::::*`
oracle	retail_clearance_optimization_engine	14.0.5	-	-	`cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:::::::*`
oracle	retail_customer_insights	15.0	-	-	`cpe:2.3:a:oracle:retail_customer_insights:15.0:::::::*`
oracle	retail_customer_insights	16.0	-	-	`cpe:2.3:a:oracle:retail_customer_insights:16.0:::::::*`
oracle	retail_financial_integration	13.2	-	-	`cpe:2.3:a:oracle:retail_financial_integration:13.2:::::::*`
oracle	retail_financial_integration	14.0	-	-	`cpe:2.3:a:oracle:retail_financial_integration:14.0:::::::*`
oracle	retail_financial_integration	14.1	-	-	`cpe:2.3:a:oracle:retail_financial_integration:14.1:::::::*`
oracle	retail_financial_integration	15.0	-	-	`cpe:2.3:a:oracle:retail_financial_integration:15.0:::::::*`
oracle	retail_financial_integration	16.0	-	-	`cpe:2.3:a:oracle:retail_financial_integration:16.0:::::::*`
oracle	retail_integration_bus	14.1.2	-	-	`cpe:2.3:a:oracle:retail_integration_bus:14.1.2:::::::*`
oracle	retail_markdown_optimization	13.4.4	-	-	`cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:::::::*`
oracle	retail_predictive_application_server	14.0.3.26	-	-	`cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:::::::*`
oracle	retail_predictive_application_server	14.1.3.37	-	-	`cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:::::::*`
oracle	retail_predictive_application_server	15.0.3..100	-	-	`cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:::::::*`
oracle	retail_predictive_application_server	16.0	-	-	`cpe:2.3:a:oracle:retail_predictive_application_server:16.0:::::::*`
oracle	retail_xstore_point_of_service	7.1	-	-	`cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*`
oracle	utilities_network_management_system	1.12.0.3	-	-	`cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:::::::*`
oracle	weblogic_server	10.3.6.0.0	-	-	`cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*`
oracle	weblogic_server	12.1.3.0.0	-	-	`cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*`
oracle	weblogic_server	12.2.1.3.0	-	-	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`
debian	debian_linux	9.0	-	-	`cpe:2.3:o:debian:debian_linux:9.0:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

107984 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问