Main Vulnerability Database Vulnerabilities #VU13499

#VU13499 Cross-site tracing attack in Pivotal Spring Framework - CVE-2018-11039

Published: June 26, 2018 / Updated: June 27, 2018

Vulnerability identifier: #VU13499

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11039

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Pivotal Spring Framework

Software vendor:
Pivotal

Description

The disclosed vulnerability allows a remote attacker to perform cross-site tracing (XST) attacks.

The vulnerability exists due to the HiddenHttpMethodFilter class in the Spring MVC framework used by the affected software allows web applications to change the HTTP request method to any HTTP method, including the TRACE method. A remote attacker can trick a user who is using a web application that has a cross-site scripting (XSS) vulnerability into following a link that submits malicious input, conduct an XST attack and access sensitive information, such as the user's credentials.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Update to version 4.3.18, 5.0.7.

External links

https://pivotal.io/security/cve-2018-11039