7.5

CVE-2018-11040

EPSS 8.25%
Veröffentlicht 25.06.2018 15:29:00
Zuletzt bearbeitet 21.11.2024 03:42:32
Quelle security_alert@emc.com
Teams Watchlist Login
Unerledigt Login

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ Spring Framework Version < 4.3.18

VMware ≫ Spring Framework Version >= 5.0.0 < 5.0.7

Oracle ≫ Agile Product Lifecycle Management Version9.3.3

Oracle ≫ Agile Product Lifecycle Management Version9.3.4

Oracle ≫ Agile Product Lifecycle Management Version9.3.5

Oracle ≫ Application Testing Suite Version12.5.0.3

Oracle ≫ Application Testing Suite Version13.1.0.1

Oracle ≫ Application Testing Suite Version13.2.0.1

Oracle ≫ Application Testing Suite Version13.3.0.1

Oracle ≫ Communications Network Integrity Version >= 7.3.2 <= 7.3.6

Oracle ≫ Communications Online Mediation Controller Version6.1

Oracle ≫ Communications Services Gatekeeper Version < 6.1.0.4.0

Oracle ≫ Communications Unified Inventory Management Version7.3.2

Oracle ≫ Communications Unified Inventory Management Version7.3.4

Oracle ≫ Communications Unified Inventory Management Version7.3.5

Oracle ≫ Communications Unified Inventory Management Version7.4.0

Oracle ≫ Endeca Information Discovery Integrator Version3.1.0

Oracle ≫ Endeca Information Discovery Integrator Version3.2.0

Oracle ≫ Enterprise Manager Version13.2 SwPlatformmysql

Oracle ≫ Enterprise Manager Ops Center Version12.3.3

Oracle ≫ Flexcube Private Banking Version2.0.0.0

Oracle ≫ Flexcube Private Banking Version2.2.0.1

Oracle ≫ Flexcube Private Banking Version12.0.1.0

Oracle ≫ Flexcube Private Banking Version12.0.3.0

Oracle ≫ Flexcube Private Banking Version12.1.0.0

Oracle ≫ Healthcare Master Person Index Version3.0

Oracle ≫ Healthcare Master Person Index Version4.0

Oracle ≫ Hospitality Guest Access Version4.2.0

Oracle ≫ Hospitality Guest Access Version4.2.1

Oracle ≫ Insurance Calculation Engine Version >= 11.0.0 <= 11.3.1

Oracle ≫ Insurance Rules Palette Version10.0

Oracle ≫ Insurance Rules Palette Version10.2

Oracle ≫ Micros Lucas Version2.9.5

Oracle ≫ Mysql Enterprise Monitor Version <= 3.4.9.4237

Oracle ≫ Mysql Enterprise Monitor Version >= 3.4.10 <= 4.0.6.5281

Oracle ≫ Mysql Enterprise Monitor Version >= 4.0.7 <= 8.0.2.8191

Oracle ≫ Product Lifecycle Management Version9.3.6

Oracle ≫ Retail Advanced Inventory Planning Version15.0

Oracle ≫ Retail Clearance Optimization Engine Version14.0.5

Oracle ≫ Retail Customer Insights Version15.0

Oracle ≫ Retail Customer Insights Version16.0

Oracle ≫ Retail Markdown Optimization Version13.4.4

Oracle ≫ Retail Predictive Application Server Version14.0.3.26

Oracle ≫ Retail Predictive Application Server Version14.1.3.37

Oracle ≫ Retail Predictive Application Server Version15.0.3.100

Oracle ≫ Retail Predictive Application Server Version16.0

Oracle ≫ Retail Service Backbone Version16.0.1

Oracle ≫ Retail Xstore Point Of Service Version7.1

Oracle ≫ Utilities Network Management System Version1.12.0.3

Oracle ≫ Weblogic Server Version12.2.1.3.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.25%	0.919

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html

Third Party Advisory

Mailing List

https://pivotal.io/security/cve-2018-11040

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2018-11040

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11040

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11040

EUVD