Vulnerability Details : CVE-2018-11040
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Vulnerability category: File inclusion
Products affected by CVE-2018-11040
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager:13.2:*:*:*:*:mysql:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 4.0.7 and up to, including, (<=) 8.0.2.8191cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 3.4.10 and up to, including, (<=) 4.0.6.5281cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
- Oracle » Insurance Calculation EngineVersions from including (>=) 11.0.0 and up to, including, (<=) 11.3.1cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_service_backbone:16.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.100:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:product_lifecycle_management:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
- Oracle » Communications Network IntegrityVersions from including (>=) 7.3.2 and up to, including, (<=) 7.3.6cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11040
8.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11040
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-11040
-
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11040
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Patch;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018Patch;Third Party Advisory
-
https://pivotal.io/security/cve-2018-11040
CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView | Security | PivotalMitigation;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019Patch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019Patch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
[SECURITY] [DLA 2635-1] libspring-java security updateMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
Jump to