CVE-2018-11040: High severity VMware Spring Framework vulnerability

Published Jun 25, 2018
·
Updated

Pivotal Spring Framework could allow a remote attacker to bypass security restrictions, caused by a flaw in AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform cross-domain requests.

Other sources

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Affected Software

54 affected componentsFixes available
maven/org.springframework:spring-core>=4.3.0.RELEASE<4.3.18.RELEASE
4.3.18.RELEASE
maven/org.springframework:spring-core>=5.0.0.RELEASE<5.0.7.RELEASE
5.0.7.RELEASE
VMware Spring Framework<4.3.18
VMware Spring Framework>=5.0.0<5.0.7
Oracle Agile Product Lifecycle Management=9.3.3
Oracle Agile Product Lifecycle Management=9.3.4
Oracle Agile Product Lifecycle Management=9.3.5
Oracle Application Testing Suite=12.5.0.3
Oracle Application Testing Suite=13.1.0.1
Oracle Application Testing Suite=13.2.0.1
Oracle Application Testing Suite=13.3.0.1
Oracle Communications Network Integrity>=7.3.2<=7.3.6
Oracle Communications Online Mediation Controller=6.1
Oracle Communications Services Gatekeeper<6.1.0.4.0
Oracle Communications Unified Inventory Management=7.3.2
Oracle Communications Unified Inventory Management=7.3.4
Oracle Communications Unified Inventory Management=7.3.5
Oracle Communications Unified Inventory Management=7.4.0
Oracle Endeca Information Discovery Integrator=3.1.0
Oracle Endeca Information Discovery Integrator=3.2.0
Oracle Enterprise Manager Mysql=13.2
Oracle Enterprise Manager Ops Center=12.3.3
Oracle FLEXCUBE Private Banking=2.0.0.0
Oracle FLEXCUBE Private Banking=2.2.0.1
Oracle FLEXCUBE Private Banking=12.0.1.0
Oracle FLEXCUBE Private Banking=12.0.3.0
Oracle FLEXCUBE Private Banking=12.1.0.0
Oracle Healthcare Master Person Index=3.0
Oracle Healthcare Master Person Index=4.0
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
Oracle Insurance Calculation Engine>=11.0.0<=11.3.1
Oracle Insurance Rules Palette=10.0
Oracle Insurance Rules Palette=10.2
Oracle MICROS Lucas=2.9.5
Oracle MySQL Enterprise Monitor<=3.4.9.4237
Oracle MySQL Enterprise Monitor>=3.4.10<=4.0.6.5281
Oracle MySQL Enterprise Monitor>=4.0.7<=8.0.2.8191
Oracle Product Lifecycle Management=9.3.6
Oracle Retail Advanced Inventory Planning=15.0
Oracle Retail Clearance Optimization Engine=14.0.5
Oracle Retail Customer Insights=15.0
Oracle Retail Customer Insights=16.0
Oracle Retail Markdown Optimization=13.4.4
Oracle Retail Predictive Application Server=14.0.3.26
Oracle Retail Predictive Application Server=14.1.3.37
Oracle Retail Predictive Application Server=15.0.3.100
Oracle Retail Predictive Application Server=16.0
Oracle Retail Service Backbone=16.0.1
Oracle Retail Xstore Point of Service=7.1
Oracle Utilities Network Management System=1.12.0.3
Oracle WebLogic Server=12.2.1.3.0
Debian Debian Linux=9.0
IBM GDE<=3.0.0.2

Remediation

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Event History

Jun 25, 2018
CVE Published
via MITRE·03:00 PM
Data Sourced
via MITRE·03:00 PM
DescriptionWeakness
Oct 16, 2018
Advisory Published
via GitHub·05:43 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2018-11040?

CVE-2018-11040 is a vulnerability in the Pivotal Spring Framework that allows a remote attacker to bypass security restrictions.

2

Which versions of Spring Framework are affected by CVE-2018-11040?

Spring Framework versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18, as well as older unsupported versions, are affected.

3

How can a remote attacker exploit CVE-2018-11040?

A remote attacker can exploit CVE-2018-11040 by enabling cross-domain requests via JSONP through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests.

4

What is the severity of CVE-2018-11040?

CVE-2018-11040 has a severity value of 7.5 (high).

5

Where can I find more information about CVE-2018-11040?

You can find more information about CVE-2018-11040 in the Oracle Security Advisory and Debian LTS Announcement.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203