#VU13499 Cross-site tracing attack in Pivotal Spring Framework - CVE-2018-11039

Cybersecurity Help s.r.o.

Published: 2018-06-26 | Updated: 2018-06-27

Vulnerability identifier: #VU13499

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-11039

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pivotal Spring Framework
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The disclosed vulnerability allows a remote attacker to perform cross-site tracing (XST) attacks.

The vulnerability exists due to the HiddenHttpMethodFilter class in the Spring MVC framework used by the affected software allows web applications to change the HTTP request method to any HTTP method, including the TRACE method. A remote attacker can trick a user who is using a web application that has a cross-site scripting (XSS) vulnerability into following a link that submits malicious input, conduct an XST attack and access sensitive information, such as the user's credentials.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
Update to version 4.3.18, 5.0.7.

Vulnerable software versions

Pivotal Spring Framework: 4.3.0 - 4.3.17, 5.0.0 - 5.0.6

External links
https://pivotal.io/security/cve-2018-11039

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cognos Controller

Multiple vulnerabilities in Dell Support Assist Enterprise

Information disclosure in Pivotal Spring Framework