Vulnerability Name:

CVE-2018-11040 (CCN-145413)

Assigned:2018-06-14
Published:2018-06-14
Updated:2022-06-23
Summary:Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-829
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2018-11040

Source: CONFIRM
Type: Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Source: XF
Type: UNKNOWN
pivotal-cve201811040-sec-bypass(145413)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update

Source: CCN
Type: Pivotal Web site
CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView

Source: CONFIRM
Type: Mitigation, Vendor Advisory
https://pivotal.io/security/cve-2018-11040

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: CONFIRM
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-11040

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.0.7)
  • OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version < 4.3.18)

    • Configuration 2:
  • cpe:/a:oracle:flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_product_lifecycle_management:9.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* (Version < 6.1.0.4.0)
  • OR cpe:/a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_network_integrity:*:*:*:*:*:*:*:* (Version >= 7.3.2 and <= 7.3.6)
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager:13.2:*:*:*:*:mysql:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:2.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.3.1)
  • OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version <= 3.4.9.4237)
  • OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version >= 3.4.10 and <= 4.0.6.5281)
  • OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version >= 4.0.7 and <= 8.0.2.8191)
  • OR cpe:/a:oracle:product_lifecycle_management:9.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0.3.100:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:16.0.1:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:pivotal:spring_framework:4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal:spring_framework:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal:spring_framework:5.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal:spring_framework:4.3.17:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:2018110400000000
    V
    		CVE-2018-11040 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-25
    oval:com.ubuntu.artful:def:201811040000
    V
    		CVE-2018-11040 on Ubuntu 17.10 (artful) - medium.
    2018-06-25
    oval:com.ubuntu.xenial:def:201811040000
    V
    		CVE-2018-11040 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-25
    oval:com.ubuntu.disco:def:2018110400000000
    V
    		CVE-2018-11040 on Ubuntu 19.04 (disco) - medium.
    2018-06-25
    oval:com.ubuntu.bionic:def:201811040000
    V
    		CVE-2018-11040 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-06-25
    oval:com.ubuntu.cosmic:def:2018110400000000
    V
    		CVE-2018-11040 on Ubuntu 18.10 (cosmic) - medium.
    2018-06-25
    oval:com.ubuntu.cosmic:def:201811040000
    V
    		CVE-2018-11040 on Ubuntu 18.10 (cosmic) - medium.
    2018-06-25
    oval:com.ubuntu.bionic:def:2018110400000000
    V
    		CVE-2018-11040 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-06-25
    oval:com.ubuntu.trusty:def:201811040000
    V
    		CVE-2018-11040 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-06-25
    BACK
    vmware spring framework *
    vmware spring framework *
    oracle flexcube private banking 2.2.0.1
    oracle retail xstore point of service 7.1
    oracle application testing suite 12.5.0.3
    oracle hospitality guest access 4.2.0
    oracle hospitality guest access 4.2.1
    oracle weblogic server 12.2.1.3.0
    oracle enterprise manager ops center 12.3.3
    oracle endeca information discovery integrator 3.2.0
    oracle endeca information discovery integrator 3.1.0
    oracle agile product lifecycle management 9.3.3
    oracle agile product lifecycle management 9.3.4
    oracle agile product lifecycle management 9.3.5
    oracle application testing suite 13.1.0.1
    oracle application testing suite 13.2.0.1
    oracle application testing suite 13.3.0.1
    oracle communications online mediation controller 6.1
    oracle communications services gatekeeper *
    oracle healthcare master person index 3.0
    oracle healthcare master person index 4.0
    oracle insurance rules palette 10.0
    oracle insurance rules palette 10.2
    oracle micros lucas 2.9.5
    oracle retail clearance optimization engine 14.0.5
    oracle retail customer insights 15.0
    oracle retail customer insights 16.0
    oracle retail predictive application server 16.0
    oracle utilities network management system 1.12.0.3
    oracle communications network integrity *
    oracle communications unified inventory management 7.3.2
    oracle communications unified inventory management 7.3.4
    oracle communications unified inventory management 7.3.5
    oracle communications unified inventory management 7.4.0
    oracle enterprise manager 13.2
    oracle flexcube private banking 2.0.0.0
    oracle flexcube private banking 12.0.1.0
    oracle flexcube private banking 12.0.3.0
    oracle flexcube private banking 12.1.0.0
    oracle insurance calculation engine *
    oracle mysql enterprise monitor *
    oracle mysql enterprise monitor *
    oracle mysql enterprise monitor *
    oracle product lifecycle management 9.3.6
    oracle retail advanced inventory planning 15.0
    oracle retail markdown optimization 13.4.4
    oracle retail predictive application server 14.0.3.26
    oracle retail predictive application server 14.1.3.37
    oracle retail predictive application server 15.0.3.100
    oracle retail service backbone 16.0.1
    debian debian linux 9.0
    pivotal spring framework 4.1.0
    pivotal spring framework 5.0.0
    pivotal spring framework 5.0.6
    pivotal spring framework 4.3.17
    ibm cognos controller 10.4.0
    ibm cognos controller 10.4.1
    ibm security guardium data encryption 3.0.0.2
    ibm cognos controller 10.4.2