PT-2018-2375 · Spring · Spring Framework
Published
2018-06-25
·
Updated
2022-06-23
·
CVE-2018-11039
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Framework versions 5.0.x prior to 5.0.7
Spring Framework versions 4.3.x prior to 4.3.18
Spring Framework older unsupported versions
Description
The issue is related to the insufficient validation of user input in the HiddenHttpMethodFilter mechanism of the Spring Framework. This can allow a remote attacker to perform a Cross Site Tracing (XST) attack using the TRACE method if the application already has a pre-existing XSS vulnerability.
Recommendations
For Spring Framework versions 5.0.x prior to 5.0.7, update to version 5.0.7 or later.
For Spring Framework versions 4.3.x prior to 4.3.18, update to version 4.3.18 or later.
For Spring Framework older unsupported versions, consider upgrading to a supported version to mitigate the risk.
As a temporary workaround, consider disabling the HiddenHttpMethodFilter in Spring MVC to prevent the escalation to an XST attack.
Fix
RCE
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Spring Framework