Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Source

The MITRE CVE dictionary describes this issue as:

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Find out more about CVE-2018-15756 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

The package rhvm-dependencies does not include the vulnerable spring-webmvc component.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score	3.1
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	None
Scope	Unchanged
Confidentiality	None
Integrity Impact	None
Availability Impact	Low

Affected Packages State

Platform	Package	State
Red Hat Virtualization 4	rhvm-dependencies	Not affected
Red Hat OpenStack Platform 9.0	springframework	Not affected
Red Hat OpenStack Platform 12.0	springframework	Not affected
Red Hat OpenStack Platform 11.0 (Ocata)	springframework	Not affected
Red Hat OpenStack Platform 10	springframework	Not affected
Red Hat JBoss Fuse Service Works 6	springframework	Under investigation
Red Hat JBoss Fuse 7	springframework	Under investigation
Red Hat JBoss Fuse 6	springframework	Under investigation
Red Hat JBoss Enterprise SOA Platform 5	springframework	Under investigation
Red Hat JBoss Data Virtualization 6	springframework	Under investigation
Red Hat JBoss BRMS 5	springframework	Under investigation
Red Hat Gluster Storage 3	rhevm-dependencies	Not affected

External References

https://pivotal.io/security/cve-2018-15756

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2018-15756

Statement

CVSS v3 metrics

Affected Packages State

External References

Vulmon Search

About

Products

Connect