CVE-2018-1272

CWE-8810 documents8 sources
Severity
7.5HIGH
EPSS
2.2%
top 15.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
26
Oracle Communications Converged Application ServerOracle Communications Diameter Signaling RouterOracle Communications Performance Intelligence Center+23 more
Timeline
PublishedApr 6
Latest updateOct 23

Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages28 packages

NVDvmware/spring_framework4.3.04.3.15+1
Mavenorg.springframework:spring-core5.0.05.0.5+1
CVEListV5spring_by_pivotal/spring_frameworkVersions prior to 5.0.5 and 4.3.15

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Possible privilege escalation in org.springframework:spring-core2018-10-17
OSV
Possible privilege escalation in org.springframework:spring-core2018-10-17
CVEList
CVE-2018-1272: Spring Framework, versions 52018-04-06
OSV
CVE-2018-1272: Spring Framework, versions 52018-04-06

💥Exploits & PoCs

1
Exploit-DB
ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection2018-10-23

📋Vendor Advisories

2
Red Hat
spring-framework: Multipart content pollution2018-04-05
Debian
CVE-2018-1272: libspring-java - Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 a...2018

💬Community

2
Bugzilla
CVE-2018-1272 spring-framework: Multipart content pollution2018-04-06
Bugzilla
CVE-2018-1270 CVE-2018-1272 springframework: various flaws [fedora-all]2018-04-06