CVE-2018-1270

Name of the Vulnerable Software and Affected Versions Spring Framework versions 4.3 prior to 4.3.15 and versions 5.0 prior to 5.0.5

Description The issue is caused by errors in handling STOMP messages in the spring-messaging module of the Spring Framework. A malicious user can craft a message to the broker that can lead to a remote code execution attack. This can be done by exploiting the simple, in-memory STOMP broker exposed through WebSocket endpoints.

Recommendations For versions 4.3 prior to 4.3.15, update to version 4.3.15 or later to resolve the issue. For versions 5.0 prior to 5.0.5, update to version 5.0.5 or later to resolve the issue. As a temporary workaround, consider disabling the STOMP broker over WebSocket endpoints until a patch is available. Restrict access to the spring-messaging module to minimize the risk of exploitation. Avoid using the STOMP protocol in the affected API endpoints until the issue is resolved.