Information disclosure in Pivotal Spring Framework - CVE-2018-11040
Published: June 27, 2018
Vulnerability identifier: #VU13500
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-11040
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pivotal
Affected software:
Pivotal Spring Framework
Pivotal Spring Framework
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper cross-domain protections imposed by the affected software. The software allows web applications to enable cross-domain requests via JSON with Padding (JSONP) through the AbstractJsonpResponseBodyAdvice class for REST controllers and through the MappingJackson2JsonView class for browser requests. A remote attacker can trick the victim into following a link that submits malicious input and access sensitive information.
How to mitigate CVE-2018-11040
Update to version 4.3.18, 5.0.7.