CVE-2018-1275

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.0 prior to 5.0.5 Spring Framework versions 4.3 prior to 4.3.16 Spring Framework older unsupported versions

Description The issue allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user can craft a message to the broker that can lead to a remote code execution attack. The vulnerability is caused by errors in processing STOMP messages in the spring-messaging module, which can allow a remote attacker to gain full control over the application using a specially crafted message.

Recommendations For Spring Framework versions 5.0 prior to 5.0.5, update to version 5.0.5 or later. For Spring Framework versions 4.3 prior to 4.3.16, update to version 4.3.16 or later. For Spring Framework older unsupported versions, consider upgrading to a supported version to mitigate the risk of exploitation. As a temporary workaround, consider disabling the spring-messaging module until a patch is available.