cbcvebase.
CVE-2018-11040
published 2018-06-25

CVE-2018-11040: Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain…

high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Affected

54 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlibspring-java< libspring-java 4.3.19-1 (bookworm)libspring-java 4.3.19-1 (bookworm)
oracleagile_product_lifecycle_management
oracleagile_product_lifecycle_management
oracleagile_product_lifecycle_management
oracleapplication_testing_suite
oracleapplication_testing_suite
oracleapplication_testing_suite
oracleapplication_testing_suite
oraclecommunications_network_integrity7.3.2 – 7.3.6
oraclecommunications_online_mediation_controller
oraclecommunications_services_gatekeeper< 6.1.0.4.06.1.0.4.0
oraclecommunications_unified_inventory_management
oraclecommunications_unified_inventory_management
oraclecommunications_unified_inventory_management
oraclecommunications_unified_inventory_management
oracleendeca_information_discovery_integrator
oracleendeca_information_discovery_integrator
oracleenterprise_manager
oracleenterprise_manager_ops_center
oracleflexcube_private_banking
oracleflexcube_private_banking
oracleflexcube_private_banking
oracleflexcube_private_banking
oracleflexcube_private_banking

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH