CVE-2018-11040 – org.springframework:spring-webmvc

Package

Manager: maven
Name: org.springframework:spring-webmvc
Vulnerable Version: >=0 <4.3.18 || >=5.0.0 <5.0.7

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Affected versions of this package are vulnerable to Information Exposure. It allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. When MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the jsonp and callback JSONP parameters, enabling cross-domain requests. Allowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts

Metadata

Created:
Modified:
Source: MANUAL
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F164
Auto approve: 1