Attacker Value
Unknown
CVE-2018-1257
CVE-2018-1257
(Last updated October 06, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High
General Information
Vendors
- oracle,
- redhat,
- vmware
Products
- agile product lifecycle management 9.3.3,
- agile product lifecycle management 9.3.4,
- agile product lifecycle management 9.3.5,
- agile product lifecycle management 9.3.6,
- application testing suite 12.5.0.3,
- application testing suite 13.1.0.1,
- application testing suite 13.2.0.1,
- application testing suite 13.3.0.1,
- big data discovery 1.6.0,
- communications converged application server,
- communications diameter signaling router,
- communications performance intelligence center,
- communications services gatekeeper,
- communications unified inventory management 7.3.2,
- communications unified inventory management 7.3.4,
- communications unified inventory management 7.3.5,
- communications unified inventory management 7.4.0,
- endeca information discovery integrator 3.1.0,
- endeca information discovery integrator 3.2.0,
- enterprise manager base platform 12.1.0.5.0,
- enterprise manager base platform 13.2.0.0.0,
- enterprise manager base platform 13.3.0.0.0,
- enterprise manager for mysql database 13.2,
- enterprise manager ops center 12.3.3,
- flexcube private banking 12.0.1.0,
- flexcube private banking 12.0.3.0,
- flexcube private banking 12.1.0.0,
- flexcube private banking 2.0.0.0,
- flexcube private banking 2.2.0.1,
- goldengate for big data 12.2.0.1,
- goldengate for big data 12.3.1.1,
- goldengate for big data 12.3.2.1,
- health sciences information manager 3.0,
- healthcare master person index 3.0,
- healthcare master person index 4.0,
- hospitality guest access 4.2.0,
- hospitality guest access 4.2.1,
- insurance calculation engine 10.1.1,
- insurance calculation engine 10.2,
- insurance calculation engine 10.2.1,
- insurance rules palette 10.0,
- insurance rules palette 10.1,
- insurance rules palette 10.2,
- insurance rules palette 11.0,
- insurance rules palette 11.1,
- openshift -,
- primavera gateway 15.2,
- primavera gateway 16.2,
- primavera gateway 17.12,
- retail customer insights 15.0,
- retail customer insights 16.0,
- retail open commerce platform 5.3.0,
- retail open commerce platform 6.0.0,
- retail open commerce platform 6.0.1,
- retail order broker 15.0,
- retail order broker 16.0,
- retail order broker 5.1,
- retail order broker 5.2,
- retail predictive application server 14.0,
- retail predictive application server 14.1,
- retail predictive application server 15.0,
- retail predictive application server 16.0,
- service architecture leveraging tuxedo 12.1.3.0.0,
- service architecture leveraging tuxedo 12.2.2.0.0,
- spring framework,
- tape library acsls 8.4,
- utilities network management system 1.12.0.3,
- weblogic server 10.3.6.0.0,
- weblogic server 12.1.3.0.0,
- weblogic server 12.2.1.3.0
References
Miscellaneous
