Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2018-15756

Disclosure Date: October 18, 2018
CVE-2018-15756 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Spring framework 5.1
Spring framework 5.0.9
Spring framework 4.3.19
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • oracle,
  • vmware

Products

  • agile plm 9.3.3,
  • agile plm 9.3.4,
  • agile plm 9.3.5,
  • agile plm 9.3.6,
  • communications brm - elastic charging engine 11.3,
  • communications brm - elastic charging engine 12.0,
  • communications converged application server - service controller 6.0,
  • communications converged application server - service controller 6.1,
  • communications diameter signaling router 8.0.0,
  • communications diameter signaling router 8.1,
  • communications diameter signaling router 8.2,
  • communications diameter signaling router 8.2.1,
  • communications element manager 8.1.1,
  • communications element manager 8.2.0,
  • communications element manager 8.2.1,
  • communications online mediation controller 6.1,
  • communications session report manager 8.0.0,
  • communications session report manager 8.1.0,
  • communications session report manager 8.1.1,
  • communications session report manager 8.2.0,
  • communications session report manager 8.2.1,
  • communications session route manager 8.0.0,
  • communications session route manager 8.1.0,
  • communications session route manager 8.1.1,
  • communications session route manager 8.2.0,
  • communications session route manager 8.2.1,
  • communications unified inventory management 7.3,
  • communications unified inventory management 7.4.0,
  • debian linux 9.0,
  • endeca information discovery integrator 3.2.0,
  • enterprise manager for fusion applications 13.3.0.0,
  • enterprise manager ops center 12.3.3,
  • financial services analytical applications infrastructure,
  • flexcube private banking 12.0.1,
  • flexcube private banking 12.0.3,
  • flexcube private banking 12.1.0,
  • goldengate application adapters 12.3.2.1.0,
  • healthcare master person index 3.0,
  • healthcare master person index 4.0.2,
  • identity manager connector 9.0,
  • insurance calculation engine 10.0,
  • insurance calculation engine 10.1,
  • insurance calculation engine 10.2,
  • insurance calculation engine 9.7,
  • insurance policy administration j2ee 10.0,
  • insurance policy administration j2ee 10.1,
  • insurance policy administration j2ee 10.2,
  • insurance policy administration j2ee 10.2.0,
  • insurance policy administration j2ee 10.2.4,
  • insurance policy administration j2ee 11.0,
  • insurance policy administration j2ee 11.1.0,
  • insurance policy administration j2ee 11.2.0,
  • insurance rules palette 10.0,
  • insurance rules palette 10.1,
  • insurance rules palette 10.2,
  • insurance rules palette 10.2.0,
  • insurance rules palette 10.2.4,
  • insurance rules palette 11.0,
  • insurance rules palette 11.0.2,
  • insurance rules palette 11.1.0,
  • insurance rules palette 11.2.0,
  • mysql enterprise monitor,
  • primavera analytics 18.8,
  • primavera gateway 15.2,
  • primavera gateway 16.2,
  • primavera gateway 17.12,
  • primavera gateway 18.8.0,
  • rapid planning 12.1,
  • rapid planning 12.2,
  • retail advanced inventory planning 15.0,
  • retail assortment planning 15.0,
  • retail assortment planning 16.0,
  • retail clearance optimization engine 14.0.5,
  • retail financial integration 14.0,
  • retail financial integration 14.1,
  • retail financial integration 15.0,
  • retail financial integration 16.0,
  • retail integration bus 15.0,
  • retail integration bus 15.0.3,
  • retail integration bus 16.0,
  • retail integration bus 16.0.3,
  • retail invoice matching 12.0,
  • retail invoice matching 13.0,
  • retail invoice matching 13.1,
  • retail invoice matching 13.2,
  • retail invoice matching 14.0,
  • retail invoice matching 14.1,
  • retail markdown optimization 13.4.4,
  • retail order broker 15.0,
  • retail order broker 16.0,
  • retail order broker 5.1,
  • retail order broker 5.2,
  • retail predictive application server 14.0.3,
  • retail predictive application server 14.0.3.26,
  • retail predictive application server 14.1.3,
  • retail predictive application server 14.1.3.37,
  • retail predictive application server 15.0.3,
  • retail predictive application server 15.0.3.100,
  • retail predictive application server 16.0,
  • retail predictive application server 16.0.3,
  • retail service backbone 15.0,
  • retail service backbone 16.0,
  • retail service backbone 16.0.1,
  • retail xstore point of service 7.1,
  • spring framework,
  • spring framework 5.1.0,
  • tape library acsls 8.5,
  • webcenter sites 12.2.1.3.0,
  • weblogic server 10.3.6.0.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0

References

Canonical
CVE-2018-15756 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756)
BID-105703 (http://www.securityfocus.com/bid/105703)
Advisory
[activemq-issues] 20190529 [jira] [Created] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190529 [jira] [Commented] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190529 [jira] [Updated] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190626 [jira] [Assigned] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190626 [jira] [Work logged] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190716 [jira] [Commented] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190826 [jira] [Reopened] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190826 [jira] [Closed] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d@%3Cissues.activemq.apache.org%3E)
[activemq-issues] 20190826 [jira] [Updated] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 (https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc@%3Cissues.activemq.apache.org%3E)
https://pivotal.io/security/cve-2018-15756
[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update (https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html)
Miscellaneous
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis