First published: Thu Apr 05 2018(Updated: )
Pivotal Spring Framework could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges.
Credit: security_alert@emc.com security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/springframework | <5.0.5 | 5.0.5 |
redhat/springframework | <4.3.15 | 4.3.15 |
maven/org.springframework:spring-core | >=5.0.0<5.0.5 | 5.0.5 |
maven/org.springframework:spring-core | <4.3.15 | 4.3.15 |
VMware Spring Framework | >=4.3.0<4.3.15 | |
VMware Spring Framework | >=5.0<5.0.5 | |
Oracle Application Testing Suite | =12.5.0.3 | |
Oracle Application Testing Suite | =13.1.0.1 | |
Oracle Application Testing Suite | =13.2.0.1 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Big Data Discovery | =1.6.0 | |
Oracle Communications Converged Application Server | <7.0.0.1 | |
Oracle Communications Diameter Signaling Router | <8.3 | |
Oracle Communications Performance Intelligence Center | <10.2.1 | |
GNU Gatekeeper | <6.1.0.4.0 | |
Oracle Enterprise Manager Ops Center | =12.2.2 | |
Oracle Enterprise Manager Ops Center | =12.3.3 | |
Oracle GoldenGate | =12.2.0.1 | |
Oracle GoldenGate | =12.3.1.1 | |
Oracle GoldenGate | =12.3.2.1 | |
Oracle Health Sciences Information Manager | =3.0 | |
Oracle Healthcare Master Person Index | =3.0 | |
Oracle Healthcare Master Person Index | =4.0 | |
Oracle Insurance Calculation Engine | =10.1.1 | |
Oracle Insurance Calculation Engine | =10.2 | |
Oracle Insurance Calculation Engine | =10.2.1 | |
Oracle Insurance Rules Palette | =10.0 | |
Oracle Insurance Rules Palette | =10.1 | |
Oracle Insurance Rules Palette | =10.2 | |
Oracle Insurance Rules Palette | =11.0 | |
Oracle Insurance Rules Palette | =11.1 | |
Oracle Primavera Gateway | =15.2 | |
Oracle Primavera Gateway | =16.2 | |
Oracle Primavera Gateway | =17.12 | |
Oracle Retail Back Office | =14.0 | |
Oracle Retail Back Office | =14.1 | |
Oracle Retail Central Office | =14.0 | |
Oracle Retail Central Office | =14.1 | |
Oracle Retail Customer Insights | =15.0 | |
Oracle Retail Customer Insights | =16.0 | |
Oracle Retail Integration Bus | =14.0.1 | |
Oracle Retail Integration Bus | =14.0.2 | |
Oracle Retail Integration Bus | =14.0.3 | |
Oracle Retail Integration Bus | =14.0.4 | |
Oracle Retail Integration Bus | =14.1.1 | |
Oracle Retail Integration Bus | =14.1.2 | |
Oracle Retail Integration Bus | =14.1.3 | |
Oracle Retail Integration Bus | =15.0.0.1 | |
Oracle Retail Integration Bus | =15.0.1 | |
Oracle Retail Integration Bus | =15.0.2 | |
Oracle Retail Integration Bus | =16.0 | |
Oracle Retail Integration Bus | =16.0.1 | |
Oracle Retail Integration Bus | =16.0.2 | |
Oracle Retail Open Commerce Platform Cloud Service | =5.3.0 | |
Oracle Retail Open Commerce Platform Cloud Service | =6.0.0 | |
Oracle Retail Open Commerce Platform Cloud Service | =6.0.1 | |
Oracle Retail Order Broker | =5.1 | |
Oracle Retail Order Broker | =5.2 | |
Oracle Retail Order Broker | =15.0 | |
Oracle Retail Order Broker | =16.0 | |
Oracle Retail Point-of-Sale | =14.0 | |
Oracle Retail Point-of-Sale | =14.1 | |
Oracle Retail Predictive Application Server | =14.0 | |
Oracle Retail Predictive Application Server | =14.1 | |
Oracle Retail Predictive Application Server | =15.0 | |
Oracle Retail Predictive Application Server | =16.0 | |
Oracle Retail Returns Management | =14.0 | |
Oracle Retail Returns Management | =14.1 | |
Oracle Service Architecture Leveraging Tuxedo | =12.1.3.0.0 | |
Oracle Service Architecture Leveraging Tuxedo | =12.2.2.0.0 | |
Oracle StorageTek ACSLS | =8.4 | |
IBM Global Data Engine | <=3.0.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1272 is considered a high severity vulnerability due to the potential for remote authenticated attackers to gain elevated privileges.
To remediate CVE-2018-1272, upgrade the Spring Framework to version 5.0.5 or 4.3.15 or later.
CVE-2018-1272 is an input validation vulnerability that can lead to privilege escalation.
Systems running vulnerable versions of Spring Framework, including various Oracle and IBM products, are affected by CVE-2018-1272.
Yes, CVE-2018-1272 can be exploited remotely by sending specially-crafted requests to the vulnerable application.