Cross-site tracing attack in Pivotal Spring Framework - CVE-2018-11039
Published: June 26, 2018 / Updated: June 27, 2018
Vulnerability identifier: #VU13499
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-11039
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pivotal
Affected software:
Pivotal Spring Framework
Pivotal Spring Framework
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform cross-site tracing (XST) attacks.
The vulnerability exists due to the HiddenHttpMethodFilter class in the Spring MVC framework used by the affected software allows web applications to change the HTTP request method to any HTTP method, including the TRACE method. A remote attacker can trick a user who is using a web application that has a cross-site scripting (XSS) vulnerability into following a link that submits malicious input, conduct an XST attack and access sensitive information, such as the user's credentials.
Successful exploitation of the vulnerability results in information disclosure.
How to mitigate CVE-2018-11039
Update to version 4.3.18, 5.0.7.