Improper input validation in Pivotal Spring Framework - CVE-2018-1275
Published: April 24, 2018
Vulnerability identifier: #VU12131
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-1275
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pivotal
Affected software:
Pivotal Spring Framework
Pivotal Spring Framework
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to allowing applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A remote attacker can submit a sepcially crafted message to the broker and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to allowing applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A remote attacker can submit a sepcially crafted message to the broker and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-1275
Update to versions 5.0.5 or 4.3.16.