Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
535
VMScore

CVE-2018-1272

Published: 06/04/2018 Updated: 23/06/2022
CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8
CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6
VMScore: 535
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Subscribe to Vmware

Vulnerability Summary

Spring Framework, versions 5.0 before 5.0.5 and versions 4.3 before 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Product Search on Vulmon Subscribe to Product

vmware spring framework

oracle enterprise manager ops center 12.2.2

oracle primavera gateway 16.2

oracle primavera gateway 15.2

oracle application testing suite 12.5.0.3

oracle retail back office 14.1

oracle retail back office 14.0

oracle enterprise manager ops center 12.3.3

oracle retail open commerce platform 6.0.1

oracle application testing suite 13.1.0.1

oracle healthcare master person index 3.0

oracle healthcare master person index 4.0

oracle insurance calculation engine 10.2

oracle application testing suite 13.2.0.1

oracle health sciences information manager 3.0

oracle communications converged application server

oracle communications diameter signaling router

oracle communications performance intelligence center

oracle communications services gatekeeper

oracle retail customer insights 15.0

oracle retail customer insights 16.0

oracle tape library acsls 8.4

oracle application testing suite 13.3.0.1

oracle insurance rules palette 10.0

oracle insurance rules palette 10.2

oracle retail predictive application server 14.0

oracle service architecture leveraging tuxedo 12.2.2.0.0

oracle service architecture leveraging tuxedo 12.1.3.0.0

oracle retail integration bus 15.0.2

oracle retail integration bus 14.1.1

oracle retail integration bus 14.1.2

oracle retail integration bus 14.1.3

oracle retail predictive application server 15.0

oracle retail predictive application server 16.0

oracle retail order broker 5.1

oracle retail order broker 5.2

oracle retail order broker 15.0

oracle insurance calculation engine 10.2.1

oracle primavera gateway 17.12

oracle big data discovery 1.6.0

oracle goldengate for big data 12.2.0.1

oracle retail integration bus 16.0.1

oracle retail integration bus 15.0.1

oracle retail order broker 16.0

oracle retail open commerce platform 6.0.0

oracle insurance calculation engine 10.1.1

oracle insurance rules palette 10.1

oracle insurance rules palette 11.0

oracle goldengate for big data 12.3.2.1

oracle retail integration bus 14.0.1

oracle retail integration bus 14.0.2

oracle retail integration bus 14.0.3

oracle retail integration bus 14.0.4

oracle retail integration bus 16.0

oracle insurance rules palette 11.1

oracle retail integration bus 16.0.2

oracle retail integration bus 15.0.0.1

oracle retail returns management 14.0

oracle retail predictive application server 14.1

oracle retail open commerce platform 5.3.0

oracle goldengate for big data 12.3.1.1

oracle retail returns management 14.1

oracle retail point-of-sale 14.1

oracle retail point-of-sale 14.0

oracle retail central office 14.0

oracle retail central office 14.1

Vendor Advisories

Red Hat: Important: Fuse 7.1 security update
Synopsis Important: Fuse 71 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat FuseRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed s ...
Debian CVElist Bug Report Logs: libspring-java: CVE-2018-1270 CVE-2018-1272
Debian Bug report logs - #895114 libspring-java: CVE-2018-1270 CVE-2018-1272 Package: src:libspring-java; Maintainer for src:libspring-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 7 Apr 2018 07:51:01 UTC Severity: gra ...
Red Hat: CVE-2018-1272
Spring Framework, versions 50 prior to 505 and versions 43 prior to 4315 and older unsupported versions, provide client-side support for multipart requests When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it ...

References

NVD-CWE-noinfohttps://pivotal.io/security/cve-2018-1272http://www.securityfocus.com/bid/103697https://access.redhat.com/errata/RHSA-2018:1320http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttps://access.redhat.com/errata/RHSA-2018:2669http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://access.redhat.com/errata/RHSA-2018:2669https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook