Information disclosure in Pivotal Spring Framework
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-11039 CVE-2018-11040 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Pivotal Spring Framework Server applications / Frameworks for developing and running applications |
| Vendor | Pivotal |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site tracing attack
EUVDB-ID: #VU13499
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-11039
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site tracing (XST) attacks.
The vulnerability exists due to the HiddenHttpMethodFilter class in the Spring MVC framework used by the affected software allows web applications to change the HTTP request method to any HTTP method, including the TRACE method. A remote attacker can trick a user who is using a web application that has a cross-site scripting (XSS) vulnerability into following a link that submits malicious input, conduct an XST attack and access sensitive information, such as the user's credentials.
Successful exploitation of the vulnerability results in information disclosure.
MitigationUpdate to version 4.3.18, 5.0.7.
Vulnerable software versionsPivotal Spring Framework: 4.3.0 - 5.0.6
CPE2.3- cpe:2.3:a:pivotal:pivotal_spring_framework:4.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:pivotal_spring_framework:5.0.6:*:*:*:*:*:*:*
https://pivotal.io/security/cve-2018-11039
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU13500
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-11040
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper cross-domain protections imposed by the affected software. The software allows web applications to enable cross-domain requests via JSON with Padding (JSONP) through the AbstractJsonpResponseBodyAdvice class for REST controllers and through the MappingJackson2JsonView class for browser requests. A remote attacker can trick the victim into following a link that submits malicious input and access sensitive information.
MitigationUpdate to version 4.3.18, 5.0.7.
Vulnerable software versionsPivotal Spring Framework: 4.3.0 - 5.0.6
CPE2.3https://pivotal.io/security/cve-2018-11040
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
