SB2018062707 - Information disclosure in Pivotal Spring Framework

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site tracing attack (CVE-ID: CVE-2018-11039)

The disclosed vulnerability allows a remote attacker to perform cross-site tracing (XST) attacks.

The vulnerability exists due to the HiddenHttpMethodFilter class in the Spring MVC framework used by the affected software allows web applications to change the HTTP request method to any HTTP method, including the TRACE method. A remote attacker can trick a user who is using a web application that has a cross-site scripting (XSS) vulnerability into following a link that submits malicious input, conduct an XST attack and access sensitive information, such as the user's credentials. 

Successful exploitation of the vulnerability results in information disclosure.

2) Information disclosure (CVE-ID: CVE-2018-11040)

The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper cross-domain protections imposed by the affected software. The software allows web applications to enable cross-domain requests via JSON with Padding (JSONP) through the AbstractJsonpResponseBodyAdvice class for REST controllers and through the MappingJackson2JsonView class for browser requests. A remote attacker can trick the victim into following a link that submits malicious input and access sensitive information.

Remediation

Install update from vendor's website.

References

• https://pivotal.io/security/cve-2018-11039
• https://pivotal.io/security/cve-2018-11040