5.9

CVE-2018-11039

EPSS 2.92%
Published 25.06.2018 15:29:00
Last modified 21.11.2024 03:42:32
Source security_alert@emc.com
Teams watchlist Login
Open Login

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Affected products Warnungen 0 Metrics 3 CWE 0 References 13

Data is provided by the National Vulnerability Database (NVD)

VMware ≫ Spring Framework Version < 4.3.18

VMware ≫ Spring Framework Version >= 5.0.0 < 5.0.7

Oracle ≫ Agile Plm Version9.3.3

Oracle ≫ Agile Plm Version9.3.4

Oracle ≫ Agile Plm Version9.3.5

Oracle ≫ Agile Plm Version9.3.6

Oracle ≫ Application Testing Suite Version12.5.0.3

Oracle ≫ Application Testing Suite Version13.1.0.1

Oracle ≫ Application Testing Suite Version13.2.0.1

Oracle ≫ Application Testing Suite Version13.3.0.1

Oracle ≫ Communications Diameter Signaling Router Version < 8.3

Oracle ≫ Communications Network Integrity Version >= 7.3.2 <= 7.3.6

Oracle ≫ Communications Online Mediation Controller Version6.1

Oracle ≫ Communications Performance Intelligence Center Version < 10.2.1

Oracle ≫ Communications Services Gatekeeper Version < 6.1.0.4.0

Oracle ≫ Communications Unified Inventory Management Version7.3.2

Oracle ≫ Communications Unified Inventory Management Version7.3.4

Oracle ≫ Communications Unified Inventory Management Version7.3.5

Oracle ≫ Communications Unified Inventory Management Version7.4.0

Oracle ≫ Endeca Information Discovery Integrator Version3.1.0

Oracle ≫ Endeca Information Discovery Integrator Version3.2.0

Oracle ≫ Enterprise Manager Base Platform Version12.1.0.5.0

Oracle ≫ Enterprise Manager Base Platform Version13.2.0.0.0

Oracle ≫ Enterprise Manager Base Platform Version13.3.0.0.0

Oracle ≫ Enterprise Manager For Mysql Database Version13.2

Oracle ≫ Enterprise Manager Ops Center Version12.3.3

Oracle ≫ Health Sciences Information Manager Version3.0

Oracle ≫ Healthcare Master Person Index Version3.0

Oracle ≫ Healthcare Master Person Index Version4.0

Oracle ≫ Hospitality Guest Access Version4.2.0

Oracle ≫ Hospitality Guest Access Version4.2.1

Oracle ≫ Insurance Calculation Engine Version >= 11.0.0 <= 11.3.1

Oracle ≫ Insurance Calculation Engine Version10.2

Oracle ≫ Insurance Rules Palette Version10.0

Oracle ≫ Insurance Rules Palette Version10.2

Oracle ≫ Micros Lucas Version2.9.5

Oracle ≫ Mysql Enterprise Monitor Version <= 3.4.9.4237

Oracle ≫ Mysql Enterprise Monitor Version >= 4.0.0 <= 4.0.6.5281

Oracle ≫ Mysql Enterprise Monitor Version >= 8.0.0 <= 8.0.2.8191

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version18.8

Oracle ≫ Retail Advanced Inventory Planning Version15.0

Oracle ≫ Retail Assortment Planning Version14.1

Oracle ≫ Retail Assortment Planning Version15.0

Oracle ≫ Retail Assortment Planning Version16.0

Oracle ≫ Retail Clearance Optimization Engine Version14.0.5

Oracle ≫ Retail Customer Insights Version15.0

Oracle ≫ Retail Customer Insights Version16.0

Oracle ≫ Retail Financial Integration Version13.2

Oracle ≫ Retail Financial Integration Version14.0

Oracle ≫ Retail Financial Integration Version14.1

Oracle ≫ Retail Financial Integration Version15.0

Oracle ≫ Retail Financial Integration Version16.0

Oracle ≫ Retail Integration Bus Version14.1.2

Oracle ≫ Retail Markdown Optimization Version13.4.4

Oracle ≫ Retail Predictive Application Server Version14.0.3.26

Oracle ≫ Retail Predictive Application Server Version14.1.3.37

Oracle ≫ Retail Predictive Application Server Version15.0.3..100

Oracle ≫ Retail Predictive Application Server Version16.0

Oracle ≫ Retail Xstore Point Of Service Version7.1

Oracle ≫ Utilities Network Management System Version1.12.0.3

Oracle ≫ Weblogic Server Version10.3.6.0.0

Oracle ≫ Weblogic Server Version12.1.3.0.0

Oracle ≫ Weblogic Server Version12.2.1.3.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.92%	0.859

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html

Third Party Advisory

Mailing List

http://www.securityfocus.com/bid/107984

Third Party Advisory

Broken Link

VDB Entry

https://pivotal.io/security/cve-2018-11039

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2018-11039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11039

EUVD