CVE-2018-15756

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch

Description The issue is related to the implementation of the ResourceHttpRequestHandler class in the Spring Framework, which is associated with resource management errors. A malicious user can exploit this by adding a range header with a high number of ranges, or with wide ranges that overlap, or both, to launch a denial of service attack. This affects applications that depend on either spring-webmvc or spring-webflux and have a registration for serving static resources, or have an annotated controller that returns an org.springframework.core.io.Resource.

Recommendations For Spring Framework versions 5.1, update to a version that includes the fix for this issue. For Spring Framework versions 5.0.x, update to version 5.0.10 or later. For Spring Framework versions 4.3.x, update to version 4.3.20 or later. As a temporary workaround, consider disabling the serving of static resources through the ResourceHttpRequestHandler or restricting access to annotated controllers that return an org.springframework.core.io.Resource until a patch is available.