Spring Framework, version 5.1, versions 5.0.x before 5.0.10, versions 4.3.x before 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vmware spring framework |
||
vmware spring framework 5.1.0 |
||
oracle flexcube private banking 12.1.0 |
||
oracle insurance policy administration j2ee 10.2.0 |
||
oracle retail xstore point of service 7.1 |
||
oracle weblogic server 12.1.3.0.0 |
||
oracle retail invoice matching 13.0 |
||
oracle flexcube private banking 12.0.1 |
||
oracle primavera gateway 16.2 |
||
oracle primavera gateway 15.2 |
||
oracle retail invoice matching 12.0 |
||
oracle flexcube private banking 12.0.3 |
||
oracle insurance rules palette 10.2.0 |
||
oracle retail service backbone 15.0 |
||
oracle retail integration bus 15.0 |
||
oracle weblogic server 10.3.6.0.0 |
||
oracle weblogic server 12.2.1.3.0 |
||
oracle communications unified inventory management 7.3 |
||
oracle enterprise manager ops center 12.3.3 |
||
oracle webcenter sites 12.2.1.3.0 |
||
oracle endeca information discovery integrator 3.2.0 |
||
oracle insurance rules palette 10.0 |
||
oracle insurance rules palette 10.2 |
||
oracle healthcare master person index 3.0 |
||
oracle insurance calculation engine 10.2 |
||
oracle retail predictive application server 16.0 |
||
oracle retail order broker 5.1 |
||
oracle retail order broker 5.2 |
||
oracle retail order broker 15.0 |
||
oracle retail order broker 16.0 |
||
oracle insurance rules palette 10.1 |
||
oracle insurance rules palette 11.0 |
||
oracle primavera gateway 17.12 |
||
oracle retail integration bus 16.0 |
||
oracle retail assortment planning 15.0 |
||
oracle communications converged application server - service controller 6.1 |
||
oracle communications online mediation controller 6.1 |
||
oracle retail predictive application server 15.0.3 |
||
oracle retail clearance optimization engine 14.0.5 |
||
oracle agile plm 9.3.3 |
||
oracle agile plm 9.3.4 |
||
oracle agile plm 9.3.5 |
||
oracle agile plm 9.3.6 |
||
oracle retail assortment planning 16.0 |
||
oracle retail financial integration 14.0 |
||
oracle retail financial integration 14.1 |
||
oracle retail financial integration 15.0 |
||
oracle retail financial integration 16.0 |
||
oracle communications unified inventory management 7.4.0 |
||
oracle retail invoice matching 13.1 |
||
oracle retail invoice matching 13.2 |
||
oracle retail invoice matching 14.0 |
||
oracle retail invoice matching 14.1 |
||
oracle insurance policy administration j2ee 10.0 |
||
oracle insurance policy administration j2ee 10.2 |
||
oracle weblogic server 12.2.1.4.0 |
||
oracle rapid planning 12.1 |
||
oracle rapid planning 12.2 |
||
oracle mysql enterprise monitor |
||
oracle communications element manager 8.2.0 |
||
oracle communications element manager 8.2.1 |
||
oracle communications element manager 8.1.1 |
||
oracle enterprise manager for fusion applications 13.3.0.0 |
||
oracle communications session report manager 8.1.1 |
||
oracle communications session report manager 8.2.0 |
||
oracle communications session report manager 8.2.1 |
||
oracle communications session route manager 8.1.1 |
||
oracle communications session route manager 8.2.0 |
||
oracle communications session route manager 8.2.1 |
||
oracle goldengate application adapters 12.3.2.1.0 |
||
oracle identity manager connector 9.0 |
||
oracle communications diameter signaling router 8.2.1 |
||
oracle communications diameter signaling router 8.0.0 |
||
oracle communications diameter signaling router 8.1 |
||
oracle communications diameter signaling router 8.2 |
||
oracle retail service backbone 16.0 |
||
oracle retail integration bus 15.0.3 |
||
oracle financial services analytical applications infrastructure |
||
oracle primavera gateway 18.8.0 |
||
oracle communications session route manager 8.0.0 |
||
oracle communications session route manager 8.1.0 |
||
oracle communications session report manager 8.0.0 |
||
oracle communications session report manager 8.1.0 |
||
oracle tape library acsls 8.5 |
||
oracle retail predictive application server 14.0.3 |
||
oracle retail integration bus 16.0.3 |
||
oracle insurance rules palette 10.2.4 |
||
oracle insurance rules palette 11.0.2 |
||
oracle insurance rules palette 11.1.0 |
||
oracle insurance rules palette 11.2.0 |
||
oracle insurance policy administration j2ee 10.2.4 |
||
oracle insurance policy administration j2ee 11.1.0 |
||
oracle insurance policy administration j2ee 11.2.0 |
||
oracle healthcare master person index 4.0.2 |
||
oracle retail predictive application server 14.1.3 |
||
oracle retail advanced inventory planning 15.0 |
||
oracle communications brm - elastic charging engine 12.0 |
||
oracle communications brm - elastic charging engine 11.3 |
||
oracle retail predictive application server 16.0.3 |
||
oracle retail markdown optimization 13.4.4 |
||
oracle retail predictive application server 14.1.3.37 |
||
oracle retail predictive application server 14.0.3.26 |
||
oracle retail predictive application server 15.0.3.100 |
||
oracle retail service backbone 16.0.1 |
||
oracle communications converged application server - service controller 6.0 |
||
oracle insurance policy administration j2ee 10.1 |
||
oracle insurance policy administration j2ee 11.0 |
||
oracle insurance calculation engine 9.7 |
||
oracle insurance calculation engine 10.0 |
||
oracle insurance calculation engine 10.1 |
||
oracle primavera analytics 18.8 |
||
debian debian linux 9.0 |