CVE-2018-1272

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.0 prior to 5.0.5 Spring Framework versions 4.3 prior to 4.3.15 Spring Framework older unsupported versions

Description The issue allows an attack where an extra multipart is inserted in the content of a request, causing the server to use the wrong value for a part it expects. This could lead to privilege escalation, for example, if the part content represents a username or user roles. The problem occurs when a Spring MVC or Spring WebFlux server application receives input from a remote client and then uses that input to make a multipart request to another server.

Recommendations For Spring Framework versions 5.0 prior to 5.0.5, update to version 5.0.5 or later. For Spring Framework versions 4.3 prior to 4.3.15, update to version 4.3.15 or later. For Spring Framework older unsupported versions, consider upgrading to a supported version to mitigate the risk. As a temporary workaround, consider restricting the use of multipart requests to minimize the risk of exploitation.