First published: Thu Jun 14 2018(Updated: )
Pivotal Spring Framework is vulnerable to cross-site tracing, caused by a flaw in the HiddenHttpMethodFilter in Spring MVC. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to cause the victim's browser to invoke a TRACE request to return sensitive header information including cookies or authentication data from third-party domains.
Credit: security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.springframework:spring-web | >=4.3.0<4.3.18 | 4.3.18 |
maven/org.springframework:spring-web | >=5.0.0<5.0.7 | 5.0.7 |
IBM GDE | <=3.0.0.2 | |
Spring Framework | <4.3.18 | |
Spring Framework | >=5.0.0<5.0.7 | |
Oracle Agile PLM | =9.3.3 | |
Oracle Agile PLM | =9.3.4 | |
Oracle Agile PLM | =9.3.5 | |
Oracle Agile PLM | =9.3.6 | |
Oracle Application Testing Suite | =12.5.0.3 | |
Oracle Application Testing Suite | =13.1.0.1 | |
Oracle Application Testing Suite | =13.2.0.1 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Communications Diameter Signaling Router | <8.3 | |
Oracle Communications Network Integrity | >=7.3.2<=7.3.6 | |
Oracle Communications Online Mediation Controller | =6.1 | |
Oracle Communications Performance Intelligence Center | <10.2.1 | |
Oracle Communications Services Gatekeeper | <6.1.0.4.0 | |
Oracle Communications Unified Inventory Management | =7.3.2 | |
Oracle Communications Unified Inventory Management | =7.3.4 | |
Oracle Communications Unified Inventory Management | =7.3.5 | |
Oracle Communications Unified Inventory Management | =7.4.0 | |
Oracle Endeca Information Discovery Integrator | =3.1.0 | |
Oracle Endeca Information Discovery Integrator | =3.2.0 | |
Oracle Enterprise Manager Base Platform | =12.1.0.5.0 | |
Oracle Enterprise Manager Base Platform | =13.2.0.0.0 | |
Oracle Enterprise Manager Base Platform | =13.3.0.0.0 | |
Oracle Enterprise Manager for MySQL | =13.2 | |
Oracle Enterprise Manager Ops Center | =12.3.3 | |
Oracle Health Sciences Information Manager | =3.0 | |
Oracle Healthcare Master Person Index | =3.0 | |
Oracle Healthcare Master Person Index | =4.0 | |
Oracle Hospitality Guest Access | =4.2.0 | |
Oracle Hospitality Guest Access | =4.2.1 | |
Oracle Insurance Calculation Engine | >=11.0.0<=11.3.1 | |
Oracle Insurance Calculation Engine | =10.2 | |
Oracle Insurance Rules Palette | =10.0 | |
Oracle Insurance Rules Palette | =10.2 | |
oracle micros lucas | =2.9.5 | |
MySQL Enterprise Monitor | <=3.4.9.4237 | |
MySQL Enterprise Monitor | >=4.0.0<=4.0.6.5281 | |
MySQL Enterprise Monitor | >=8.0.0<=8.0.2.8191 | |
Oracle Primavera P6 Enterprise Project Portfolio Management | =18.8 | |
Oracle Retail Advanced Inventory Planning | =15.0 | |
Oracle Retail Assortment Planning | =14.1 | |
Oracle Retail Assortment Planning | =15.0 | |
Oracle Retail Assortment Planning | =16.0 | |
Oracle Retail Clearance Optimization Engine | =14.0.5 | |
Oracle Retail Customer Insights | =15.0 | |
Oracle Retail Customer Insights | =16.0 | |
oracle retail financial integration | =13.2 | |
oracle retail financial integration | =14.0 | |
oracle retail financial integration | =14.1 | |
oracle retail financial integration | =15.0 | |
oracle retail financial integration | =16.0 | |
Oracle Retail Integration Bus | =14.1.2 | |
Oracle Retail Markdown Optimization | =13.4.4 | |
Oracle Retail Predictive Application Server | =14.0.3.26 | |
Oracle Retail Predictive Application Server | =14.1.3.37 | |
Oracle Retail Predictive Application Server | =15.0.3..100 | |
Oracle Retail Predictive Application Server | =16.0 | |
Oracle Retail Xstore Office Cloud Service | =7.1 | |
Oracle Utilities Network Management System | =1.12.0.3 | |
Oracle WebLogic Server | =10.3.6.0.0 | |
Oracle WebLogic Server | =12.1.3.0.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Debian GNU/Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-11039 is classified as a critical vulnerability due to its potential to exploit cross-site tracing in vulnerable applications.
To remediate CVE-2018-11039, update to Spring Framework version 4.3.18 or 5.0.7 or later.
CVE-2018-11039 impacts various versions of the Spring Framework, IBM GDE, several Oracle products, and other software relying on vulnerable Spring MVC components.
CVE-2018-11039 can be exploited by persuading a user to visit a specially crafted website which triggers a TRACE request in their browser.
CVE-2018-11039 is primarily a server-side vulnerability that allows attackers to perform cross-site tracing, potentially leading to sensitive data exposure.