Fluid Attacks Database

Description

Affected versions of this package are vulnerable to Information Exposure. It allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. When MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the jsonp and callback JSONP parameters, enabling cross-domain requests. Allowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	libspring-java	>=0 <4.3.19-1	4.3.19-1
maven	org.springframework:spring-core	>=5.0.0.release <5.0.7.release \|\| >=4.3.0.release <4.3.18.release	5.0.7.release, 4.3.18.release
debian 14	libspring-java	>=0 <4.3.19-1	4.3.19-1
maven	org.springframework:spring-web	>=4.3.0.release <4.3.18.release \|\| >=5.0.0.release <5.0.7.release	4.3.18.release, 5.0.7.release
debian 13	libspring-java	>=0 <4.3.19-1	4.3.19-1
debian 11	libspring-java	>=0 <4.3.19-1	4.3.19-1
maven	org.springframework:spring-webmvc	>=0 <4.3.18 \|\| >=5.0.0 <5.0.7	-

Aliases

1. CVE-2018-110402. NVD-2018-110403. OSV-DEBIAN-2018-110404. OSV-2018-110405. GHSA-f26x-pr96-vw866. GCVE-2018-110407. SECURITY-TRACKER-CVE-2018-110408. lists.debian.org9. PIVOTAL-cve-2018-1104010. DB-CVE-2018-11040

References

1. https://github.com/spring-projects/spring-framework/commit/874859493bbda59739c38c7e52eb3625f247b93a2. https://github.com/spring-projects/spring-framework/commit/b80c13b722bb207ddf43f53a007ee3ddc1dd2e263. https://pivotal.io/security/cve-2018-110404. https://www.oracle.com/security-alerts/cpujan2020.html5. https://www.oracle.com/security-alerts/cpujul2020.html6. https://www.oracle.com/security-alerts/cpuoct2021.html7. https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html8. https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html9. https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html10. http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.