Fluid Attacks Database

Description

Spring Framework Cross Site Tracing (XST) Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework:spring-web	>=5.0.0 <5.0.7 \|\| >=4.3.0 <4.3.18	5.0.7, 4.3.18
maven	org.springframework:spring-core	<0	-
debian 11	libspring-java	>=0 <4.3.19-1	4.3.19-1
debian 13	libspring-java	>=0 <4.3.19-1	4.3.19-1
debian 14	libspring-java	>=0 <4.3.19-1	4.3.19-1
debian 12	libspring-java	>=0 <4.3.19-1	4.3.19-1
maven	org.springframework:spring-webmvc	<0	-

Aliases

1. CVE-2018-110392. NVD-2018-110393. OSV-2018-110394. OSV-DEBIAN-2018-110395. GHSA-9gcm-f4x3-8jpw6. GCVE-2018-110397. lists.debian.org8. PIVOTAL-cve-2018-110399. SECURITY-TRACKER-CVE-2018-11039

References

1. https://github.com/spring-projects/spring-framework/issues/213762. https://github.com/spring-projects/spring-framework/commit/323ccf99e575343f63d56e229c25c35c170b7ec13. https://github.com/spring-projects/spring-framework/commit/a5cd01a4c857aaaba7ccc51545fc73dd25b5cba54. https://github.com/spring-projects/spring-framework/commit/dac97f1b7dac3e70ff603fb6fc9f205b95dd6b015. https://github.com/spring-projects/spring-framework/commit/f2694a8ed93f1f63f87ce45d0bb638478b426acd6. https://github.com/spring-projects/spring-framework/commit/f64fa3dea10af125d612d3a997aece93d21bc8757. https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html8. https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html9. https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html10. https://www.oracle.com/security-alerts/cpuoct2021.html11. https://www.oracle.com/security-alerts/cpujul2020.html12. https://www.oracle.com/security-alerts/cpujan2020.html13. https://spring.io/security/cve-2018-1103914. https://pivotal.io/security/cve-2018-1103915. http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html16. http://www.securityfocus.com/bid/107984

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.