Vulnerabilties Pivotals-Spring-Data-REST

Published on April 7th, 2018 | Post Views: 2,350  HitsPost Views

0

Spring Framework Multiple Security Vulnerability

  1. CVE-2018-1270: Remote Code Execution with spring-messaging
    CVE numberCVE-2018-1270
    Description: the version 5.*, Version 4.3.* of the Spring Framework and the older versions that are no longer supported. The WebSocket-based STOMP provided by spring-messaging and the spring-websocket module has a WebSocket connection established by an attacker. And send the possibility of malicious attack code to achieve remote code execution attacks, it is recommended to update to the new version as soon as possible.
  2. CVE-2018-1271: Directory Traversal with Spring MVC on Windows
    CVE number
    CVE-2018-1271
    Description: The version 5.*, Version 4.3.* of the Spring Framework, and older versions that are no longer supported. Spring MVC allows applications to provide static resources for their configuration. When this feature is implemented on a Windows system, the attacker The specific resource URL requested by the construction may lead to the effect of directory traversal, and it is recommended to update to the new version as soon as possible.
  3. CVE-2018-1272: Multipart Content Pollution with Spring Framework
    CVE numberCVE-2018-1272
    Description: The 5.* and 4.3.* versions of the Spring Framework, and older versions that are no longer supported, attack when a Spring MVC or Spring WebFlux server accepts a request to redirect another client to another server. By constructing and contaminating Multipart type requests, it is possible to implement privilege escalation attacks on another server and it is recommended to update to the new version as soon as possible.

 

Affected version & Solution

The affected versions of the three vulnerability CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 are as follows:

▼Advertisment

  • Spring Framework 5.x (5.0 to 5.0.4) version, it is recommended to update to version 5.0.5
  • Spring Framework 4.3.* (4.3 to 4.3.14) version, it is recommended to update to version 4.3.15
  • The older versions that are no longer supported, it is recommended to update to version 4.3.15 or 5.0.5












Leave a Reply

Back to Top ↑