7.5

CVE-2018-1272

EPSS 2.17%
Published 06.04.2018 13:29:00
Last modified 21.11.2024 03:59:30
Source security_alert@emc.com
Teams watchlist Login
Open Login

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Affected products Warnungen 0 Metrics 3 CWE 0 References 13

Data is provided by the National Vulnerability Database (NVD)

VMware ≫ Spring Framework Version >= 4.3.0 < 4.3.15

VMware ≫ Spring Framework Version >= 5.0 < 5.0.5

Oracle ≫ Application Testing Suite Version12.5.0.3

Oracle ≫ Application Testing Suite Version13.1.0.1

Oracle ≫ Application Testing Suite Version13.2.0.1

Oracle ≫ Application Testing Suite Version13.3.0.1

Oracle ≫ Big Data Discovery Version1.6.0

Oracle ≫ Communications Converged Application Server Version < 7.0.0.1

Oracle ≫ Communications Diameter Signaling Router Version < 8.3

Oracle ≫ Communications Performance Intelligence Center Version < 10.2.1

Oracle ≫ Communications Services Gatekeeper Version < 6.1.0.4.0

Oracle ≫ Enterprise Manager Ops Center Version12.2.2

Oracle ≫ Enterprise Manager Ops Center Version12.3.3

Oracle ≫ Goldengate For Big Data Version12.2.0.1

Oracle ≫ Goldengate For Big Data Version12.3.1.1

Oracle ≫ Goldengate For Big Data Version12.3.2.1

Oracle ≫ Health Sciences Information Manager Version3.0

Oracle ≫ Healthcare Master Person Index Version3.0

Oracle ≫ Healthcare Master Person Index Version4.0

Oracle ≫ Insurance Calculation Engine Version10.1.1

Oracle ≫ Insurance Calculation Engine Version10.2

Oracle ≫ Insurance Calculation Engine Version10.2.1

Oracle ≫ Insurance Rules Palette Version10.0

Oracle ≫ Insurance Rules Palette Version10.1

Oracle ≫ Insurance Rules Palette Version10.2

Oracle ≫ Insurance Rules Palette Version11.0

Oracle ≫ Insurance Rules Palette Version11.1

Oracle ≫ Primavera Gateway Version15.2

Oracle ≫ Primavera Gateway Version16.2

Oracle ≫ Primavera Gateway Version17.12

Oracle ≫ Retail Back Office Version14.0

Oracle ≫ Retail Back Office Version14.1

Oracle ≫ Retail Central Office Version14.0

Oracle ≫ Retail Central Office Version14.1

Oracle ≫ Retail Customer Insights Version15.0

Oracle ≫ Retail Customer Insights Version16.0

Oracle ≫ Retail Integration Bus Version14.0.1

Oracle ≫ Retail Integration Bus Version14.0.2

Oracle ≫ Retail Integration Bus Version14.0.3

Oracle ≫ Retail Integration Bus Version14.0.4

Oracle ≫ Retail Integration Bus Version14.1.1

Oracle ≫ Retail Integration Bus Version14.1.2

Oracle ≫ Retail Integration Bus Version14.1.3

Oracle ≫ Retail Integration Bus Version15.0.0.1

Oracle ≫ Retail Integration Bus Version15.0.1

Oracle ≫ Retail Integration Bus Version15.0.2

Oracle ≫ Retail Integration Bus Version16.0

Oracle ≫ Retail Integration Bus Version16.0.1

Oracle ≫ Retail Integration Bus Version16.0.2

Oracle ≫ Retail Open Commerce Platform Version5.3.0

Oracle ≫ Retail Open Commerce Platform Version6.0.0

Oracle ≫ Retail Open Commerce Platform Version6.0.1

Oracle ≫ Retail Order Broker Version5.1

Oracle ≫ Retail Order Broker Version5.2

Oracle ≫ Retail Order Broker Version15.0

Oracle ≫ Retail Order Broker Version16.0

Oracle ≫ Retail Point-of-sale Version14.0

Oracle ≫ Retail Point-of-sale Version14.1

Oracle ≫ Retail Predictive Application Server Version14.0

Oracle ≫ Retail Predictive Application Server Version14.1

Oracle ≫ Retail Predictive Application Server Version15.0

Oracle ≫ Retail Predictive Application Server Version16.0

Oracle ≫ Retail Returns Management Version14.0

Oracle ≫ Retail Returns Management Version14.1

Oracle ≫ Service Architecture Leveraging Tuxedo Version12.1.3.0.0

Oracle ≫ Service Architecture Leveraging Tuxedo Version12.2.2.0.0

Oracle ≫ Tape Library Acsls Version8.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.17%	0.836

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2669

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Patch

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1320

Third Party Advisory

http://www.securityfocus.com/bid/103697

Third Party Advisory

VDB Entry

https://pivotal.io/security/cve-2018-1272

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-1272

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-1272

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-1272

EUVD