7.5
CVSSv2

CVE-2018-1275

Published: 11/04/2018 Updated: 15/07/2020
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Spring Framework, versions 5.0 before 5.0.5 and versions 4.3 before 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pivotal software spring framework

oracle retail predictive application server 16.0

oracle retail order broker 5.2

oracle communications performance intelligence center

oracle application testing suite 12.5.0.3

oracle insurance calculation engine 10.2

oracle insurance calculation engine 10.1.1

oracle insurance rules palette 11.1

oracle retail customer insights 16.0

oracle primavera gateway 17.12

oracle goldengate for big data 12.2.0.1

oracle retail predictive application server 14.0

oracle retail predictive application server 14.1

oracle primavera gateway 15.2

oracle retail open commerce platform 6.0.1

oracle application testing suite 13.1.0.1

oracle application testing suite 13.2.0.1

oracle application testing suite 13.3.0.1

oracle communications diameter signaling router

oracle insurance rules palette 10.0

oracle insurance rules palette 10.2

oracle communications services gatekeeper

oracle health sciences information manager 3.0

oracle healthcare master person index 3.0

oracle healthcare master person index 4.0

oracle communications converged application server

oracle service architecture leveraging tuxedo 12.1.3.0.0

oracle service architecture leveraging tuxedo 12.2.2.0.0

oracle retail predictive application server 15.0

oracle retail order broker 5.1

oracle retail order broker 15.0

oracle retail order broker 16.0

oracle retail open commerce platform 5.3.0

oracle retail open commerce platform 6.0.0

oracle insurance rules palette 10.1

oracle insurance rules palette 11.0

oracle goldengate for big data 12.3.2.1

oracle primavera gateway 16.2

oracle retail customer insights 15.0

oracle tape library acsls 8.4

oracle insurance calculation engine 10.2.1

oracle big data discovery 1.6.0

oracle goldengate for big data 12.3.1.1

Vendor Advisories

Synopsis Critical: Red Hat FIS 20 on Fuse 630 R8 security and bug fix update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Fuse Integration ServicesRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scor ...
Spring Framework, versions 50 prior to 505 and versions 43 prior to 4316 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module A malicious user (or attacker) can craft a message to the broker that can lead to a remote code executio ...
Debian Bug report logs - #895114 libspring-java: CVE-2018-1270 CVE-2018-1272 Package: src:libspring-java; Maintainer for src:libspring-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 7 Apr 2018 07:51:01 UTC Severity: gra ...
Oracle Critical Patch Update Advisory - July 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Oracle Critical Patch Update Advisory - January 2019 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - October 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
There are multiple vulnerabilities identified in IBM Guardium Data Encryption (GDE) These vulnerabilities have been fixed in GDE 4004 Please apply the latest version for the fixes ...

Github Repositories

DISCLAIMER: This repository is supplementary to the VGS blog post, How to Avoid "Using Components with Known Vulnerabilities" It contains an application with a known security vulnerability (namely, CVE-2017-8046), as well as the description of how to exploit it Use the application at your own risk! Setting Up First, start the application by executing the following c

checking alerts of X-CERT

gocarts(go-CERT-alerts-summarizer) gocarts checks alerts of X-CERT (eg JPCERT, US-CERT) This project refers to knqyf263/gost Abstract gocarts is written in Go, and therefore you can just grab the binary releases and drop it in your $PATH gocarts summarizes alerts by CVE ID You can search alert's detail by CVE ID Main features gocarts has the following features S

Cyber Securiy MOOC Unsecure project

LINK: githubcom/ilmari666/cybsec Based on the Springboot-template as per course material that can be installed and run with suitably configured Netbeans and Maven Five flaws as per wwwowasporg/images/7/72/OWASP_Top_10-2017_%28en%29pdfpdf This document can be read at githubcom/ilmari666/cybsec/blob/master/READMEmd FLAW 1: A2:2017 Broken Authentica

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Old bugs, new bugs, red bugs … yes, it's Oracle mega-update day again
The Register • Richard Chirgwin • 18 Jan 2019

Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead

Oracle admins, here's your first critical patch advisory for 2019, and it's a doozy: a total of 284 vulnerabilities patched across Big Red's product range, and 33 of them are rated “critical”.
We hope your support contracts are up-to-date to receive these fixes. The full list is here, and with so much to choose from, The Register will work through the top-rated bugs.
Oracle Communications Applications (OCA) is home to nine of the vulnerabilities in various components:
Oracl...

Old bugs, new bugs, red bugs … yes, it's Oracle mega-update day again
The Register • Richard Chirgwin • 18 Jan 2019

Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then

Oracle admins, here's your first critical patch advisory for 2019, and it's a doozy: a total of 284 vulnerabilities patched across Big Red's product range, and 33 of them are rated “critical”.
We hope your support contracts are up-to-date to receive these fixes. The full list is here, and with so much to choose from, The Register will work through the top-rated bugs.
Oracle Communications Applications (OCA) is home to nine of the vulnerabilities in various components:
Oracl...