Vulnerability Details : CVE-2018-1258
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
Vulnerability category: Bypass
Products affected by CVE-2018-1258
- cpe:2.3:a:redhat:fuse:7.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:10.3.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*
- Oracle » Communications Network IntegrityVersions from including (>=) 7.3.2 and up to, including, (<=) 7.3.6cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*
- cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1258
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1258
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-1258
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1258
-
https://access.redhat.com/errata/RHSA-2019:2413
RHSA-2019:2413 - Security Advisory - Red Hat Customer PortalPatch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Patch;Third Party Advisory
-
http://www.securitytracker.com/id/1041896
Oracle WebLogic Server Multiple Bugs Let Remote Users Gain Elevated Privileges, Access Data, and Partially Modify Data - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019Patch;Third Party Advisory
-
https://pivotal.io/security/cve-2018-1258
CVE-2018-1258: Unauthorized Access with Spring Security Method Security | Security | PivotalVendor Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
http://www.securitytracker.com/id/1041888
MySQL Multiple Flaws Let Remote Users Gain Elevated Privileges, Remote Authenticated Users Access and Modify Data, and Remote and Local Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20181018-0002/
October 2018 MySQL Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.securityfocus.com/bid/104222
Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018Patch;Third Party Advisory
Jump to