CVE-2018-15756

CWE-20 — Improper Input Validation13 documents8 sources

Severity

7.5HIGH

EPSS

18.1%

top 4.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework Pivotal Spring Framework Oracle Financial Services Analytical Applications Infrastructure +38 more

Timeline

PublishedOct 18

Latest updateJan 15

Description

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages42 packages

▶Mavenorg.springframework:spring-core5.1.0.RELEASE — 5.1.1.RELEASE+2

▶NVDvmware/spring_framework4.2.0 — 4.3.20+2

▶CVEListV5pivotal/spring_framework5.0.0 — 5.0.9+2

▶Debianlibspring-java< 4.3.21-1+3

▶NVDoracle/financial_services_analytical_applications_infrastructure8.0.2 — 8.0.8

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Denial of Service in Spring Framework↗2020-06-15

▶

OSV

Denial of Service in Spring Framework↗2020-06-15

▶

CVEList

DoS Attack via Range Requests↗2018-10-18

▶

OSV

CVE-2018-15756: Spring Framework, version 5↗2018-10-18

▶

📋Vendor Advisories

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Topology Viewer (Spring Framework) — CVE-2018-15756↗2021-01-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Point of Sale (Spring Framework) — CVE-2018-15756↗2020-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: IDIH Visualization (Spring Framework) — CVE-2018-15756↗2020-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Security (Spring Framework) — CVE-2018-15756↗2020-01-15

▶

Red Hat

springframework: DoS Attack via Range Requests↗2018-10-16

▶

💬Community

Bugzilla

CVE-2018-15756 springframework: DoS Attack via Range Requests↗2018-10-25

▶

Bugzilla

CVE-2018-15756 springframework: DoS Attack via Range Requests [fedora-all]↗2018-10-25

▶