Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2018-15756

CVSSv4: NA | CVSSv3: 7.5 | CVSSv2: 5 | VMScore: 850 | EPSS: 0.09613 | KEV: Not Included
Published: 18/10/2018 Updated: 21/11/2024

Vulnerability Summary

Spring Framework, version 5.1, versions 5.0.x before 5.0.10, versions 4.3.x before 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware spring framework

vmware spring framework 5.1.0

oracle agile plm 9.3.3

oracle agile plm 9.3.4

oracle agile plm 9.3.5

oracle agile plm 9.3.6

oracle communications brm - elastic charging engine 11.3

oracle communications brm - elastic charging engine 12.0

oracle communications converged application server - service controller 6.0

oracle communications converged application server - service controller 6.1

oracle communications diameter signaling router 8.0.0

oracle communications diameter signaling router 8.1

oracle communications diameter signaling router 8.2

oracle communications diameter signaling router 8.2.1

oracle communications element manager 8.1.1

oracle communications element manager 8.2.0

oracle communications element manager 8.2.1

oracle communications online mediation controller 6.1

oracle communications session report manager 8.0.0

oracle communications session report manager 8.1.0

oracle communications session report manager 8.1.1

oracle communications session report manager 8.2.0

oracle communications session report manager 8.2.1

oracle communications session route manager 8.0.0

oracle communications session route manager 8.1.0

oracle communications session route manager 8.1.1

oracle communications session route manager 8.2.0

oracle communications session route manager 8.2.1

oracle communications unified inventory management 7.3

oracle communications unified inventory management 7.4.0

oracle endeca information discovery integrator 3.2.0

oracle enterprise manager for fusion applications 13.3.0.0

oracle enterprise manager ops center 12.3.3

oracle financial services analytical applications infrastructure

oracle flexcube private banking 12.0.1

oracle flexcube private banking 12.0.3

oracle flexcube private banking 12.1.0

oracle goldengate application adapters 12.3.2.1.0

oracle healthcare master person index 3.0

oracle healthcare master person index 4.0.2

oracle identity manager connector 9.0

oracle insurance calculation engine 9.7

oracle insurance calculation engine 10.0

oracle insurance calculation engine 10.1

oracle insurance calculation engine 10.2

oracle insurance policy administration j2ee 10.0

oracle insurance policy administration j2ee 10.1

oracle insurance policy administration j2ee 10.2

oracle insurance policy administration j2ee 10.2.0

oracle insurance policy administration j2ee 10.2.4

oracle insurance policy administration j2ee 11.0

oracle insurance policy administration j2ee 11.1.0

oracle insurance policy administration j2ee 11.2.0

oracle insurance rules palette 10.0

oracle insurance rules palette 10.1

oracle insurance rules palette 10.2

oracle insurance rules palette 10.2.0

oracle insurance rules palette 10.2.4

oracle insurance rules palette 11.0

oracle insurance rules palette 11.0.2

oracle insurance rules palette 11.1.0

oracle insurance rules palette 11.2.0

oracle mysql enterprise monitor

oracle primavera analytics 18.8

oracle primavera gateway 15.2

oracle primavera gateway 16.2

oracle primavera gateway 17.12

oracle primavera gateway 18.8.0

oracle rapid planning 12.1

oracle rapid planning 12.2

oracle retail advanced inventory planning 15.0

oracle retail assortment planning 15.0

oracle retail assortment planning 16.0

oracle retail clearance optimization engine 14.0.5

oracle retail financial integration 14.0

oracle retail financial integration 14.1

oracle retail financial integration 15.0

oracle retail financial integration 16.0

oracle retail integration bus 15.0

oracle retail integration bus 15.0.3

oracle retail integration bus 16.0

oracle retail integration bus 16.0.3

oracle retail invoice matching 12.0

oracle retail invoice matching 13.0

oracle retail invoice matching 13.1

oracle retail invoice matching 13.2

oracle retail invoice matching 14.0

oracle retail invoice matching 14.1

oracle retail markdown optimization 13.4.4

oracle retail order broker 5.1

oracle retail order broker 5.2

oracle retail order broker 15.0

oracle retail order broker 16.0

oracle retail predictive application server 14.0.3

oracle retail predictive application server 14.0.3.26

oracle retail predictive application server 14.1.3

oracle retail predictive application server 14.1.3.37

oracle retail predictive application server 15.0.3

oracle retail predictive application server 15.0.3.100

oracle retail predictive application server 16.0

oracle retail predictive application server 16.0.3

oracle retail service backbone 15.0

oracle retail service backbone 16.0

oracle retail service backbone 16.0.1

oracle retail xstore point of service 7.1

oracle tape library acsls 8.5

oracle webcenter sites 12.2.1.3.0

oracle weblogic server 10.3.6.0.0

oracle weblogic server 12.1.3.0.0

oracle weblogic server 12.2.1.3.0

oracle weblogic server 12.2.1.4.0

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: libspring-java: CVE-2018-15756
Debian Bug report logs - #911786 libspring-java: CVE-2018-15756 Package: src:libspring-java; Maintainer for src:libspring-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 24 Oct 2018 19:06:01 UTC Severity: important Tags: ...
Red Hat: Important: Red Hat AMQ Broker 7.4.4 release and security update
Synopsis Important: Red Hat AMQ Broker 744 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Broker 744 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...
Red Hat: Important: Red Hat Fuse 7.6.0 security update
Synopsis Important: Red Hat Fuse 760 security update Type/Severity Security Advisory: Important Topic A minor version update (from 75 to 76) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...
Red Hat: CVE-2018-15756
Spring Framework, version 51, versions 50x prior to 5010, versions 43x prior to 4320, and older unsupported versions on the 42x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 50 when an annotated controller returns an orgspringframeworkcoreioResource A ...

References

NVD-CWE-noinfohttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911786https://nvd.nist.govhttps://www.first.org/epsshttp://www.securityfocus.com/bid/105703https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlhttps://pivotal.io/security/cve-2018-15756https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttp://www.securityfocus.com/bid/105703https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlhttps://pivotal.io/security/cve-2018-15756https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
ssl.comCVE-2025-3278CVE-2025-24054brute forcefirewallprivilege escalationCVE-2025-24914qriousladCVE-2025-42599pritunlnamelessmcCVE-2025-3103CVE-2025-43895
Home
/
Search Results
/
CVE-2018-15756
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook