CVE-2018-11040

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.0.x prior to 5.0.7 Spring Framework versions 4.3.x prior to 4.3.18 Spring Framework older unsupported versions

Description The issue allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. When MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the jsonp and callback JSONP parameters, enabling cross-domain requests. This could potentially impact the confidentiality of protected information.

Recommendations For Spring Framework versions 5.0.x prior to 5.0.7, update to version 5.0.7 or later. For Spring Framework versions 4.3.x prior to 4.3.18, update to version 4.3.18 or later. For Spring Framework older unsupported versions, consider upgrading to a supported version. As a temporary workaround, consider disabling the MappingJackson2JsonView or restricting access to the jsonp and callback parameters to minimize the risk of exploitation.