CVE-2018-11040

Published: 25/06/2018 Updated: 23/06/2022

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Spring Framework, versions 5.0.x before 5.0.7 and 4.3.x before 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vmware spring framework
oracle flexcube private banking 2.2.0.1
oracle retail xstore point of service 7.1
oracle application testing suite 12.5.0.3
oracle hospitality guest access 4.2.0
oracle hospitality guest access 4.2.1
oracle weblogic server 12.2.1.3.0
oracle enterprise manager ops center 12.3.3
oracle endeca information discovery integrator 3.2.0
oracle endeca information discovery integrator 3.1.0
oracle application testing suite 13.1.0.1
oracle application testing suite 13.2.0.1
oracle application testing suite 13.3.0.1
oracle insurance rules palette 10.0
oracle insurance rules palette 10.2
oracle communications services gatekeeper
oracle healthcare master person index 3.0
oracle healthcare master person index 4.0
oracle retail customer insights 15.0
oracle retail customer insights 16.0
oracle retail predictive application server 16.0
oracle agile product lifecycle management 9.3.3
oracle agile product lifecycle management 9.3.4
oracle agile product lifecycle management 9.3.5
oracle utilities network management system 1.12.0.3
oracle communications online mediation controller 6.1
oracle retail clearance optimization engine 14.0.5
oracle micros lucas 2.9.5
oracle flexcube private banking 2.0.0.0
oracle flexcube private banking 12.0.1.0
oracle flexcube private banking 12.0.3.0
oracle flexcube private banking 12.1.0.0
oracle communications unified inventory management 7.3.2
oracle communications unified inventory management 7.3.4
oracle communications unified inventory management 7.3.5
oracle communications unified inventory management 7.4.0
oracle product lifecycle management 9.3.6
oracle mysql enterprise monitor
oracle enterprise manager 13.2
oracle communications network integrity
oracle retail advanced inventory planning 15.0
oracle insurance calculation engine
oracle retail markdown optimization 13.4.4
oracle retail predictive application server 14.1.3.37
oracle retail predictive application server 14.0.3.26
oracle retail predictive application server 15.0.3.100
oracle retail service backbone 16.0.1
debian debian linux 9.0

CWE-829 https://pivotal.io/security/cve-2018-11040 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://nvd.nist.gov

CVE-2018-11040

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect