CVE-2018-11039

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.0.x prior to 5.0.7 Spring Framework versions 4.3.x prior to 4.3.18 Spring Framework older unsupported versions

Description The issue is related to the insufficient validation of user input in the HiddenHttpMethodFilter mechanism of the Spring Framework. This can allow a remote attacker to perform a Cross Site Tracing (XST) attack using the TRACE method if the application already has a pre-existing XSS vulnerability.

Recommendations For Spring Framework versions 5.0.x prior to 5.0.7, update to version 5.0.7 or later. For Spring Framework versions 4.3.x prior to 4.3.18, update to version 4.3.18 or later. For Spring Framework older unsupported versions, consider upgrading to a supported version to mitigate the risk. As a temporary workaround, consider disabling the HiddenHttpMethodFilter in Spring MVC to prevent the escalation to an XST attack.