Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2018-1258

Disclosure Date: May 11, 2018
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • netapp,
  • oracle,
  • pivotal software,
  • redhat,
  • vmware

Products

  • agile plm 9.3.3,
  • agile plm 9.3.4,
  • agile plm 9.3.5,
  • agile plm 9.3.6,
  • application testing suite 10.1,
  • application testing suite 12.5.0.3,
  • application testing suite 13.1.0.1,
  • application testing suite 13.2.0.1,
  • application testing suite 13.3.0.1,
  • big data discovery 1.6.0,
  • communications converged application server,
  • communications diameter signaling router,
  • communications network integrity,
  • communications performance intelligence center,
  • communications services gatekeeper,
  • endeca information discovery integrator 3.1.0,
  • endeca information discovery integrator 3.2.0,
  • enterprise manager for mysql database 13.2,
  • enterprise manager ops center 12.2.2,
  • enterprise manager ops center 12.3.3,
  • enterprise repository 11.1.1.7.0,
  • enterprise repository 12.1.3.0.0,
  • fuse 7.3.0,
  • goldengate for big data 12.2.0.1,
  • goldengate for big data 12.3.1.1,
  • goldengate for big data 12.3.2.1,
  • health sciences information manager 3.0,
  • healthcare master person index 3.0,
  • healthcare master person index 4.0,
  • hospitality guest access 4.2.0,
  • hospitality guest access 4.2.1,
  • insurance calculation engine 10.1.1,
  • insurance calculation engine 10.2,
  • insurance calculation engine 10.2.1,
  • insurance policy administration 10.0,
  • insurance policy administration 10.1,
  • insurance policy administration 10.2,
  • insurance policy administration 11.0,
  • insurance rules palette 10.0,
  • insurance rules palette 10.1,
  • insurance rules palette 10.2,
  • insurance rules palette 11.0,
  • insurance rules palette 11.1,
  • micros lucas 2.9.5,
  • mysql enterprise monitor,
  • oncommand insight -,
  • oncommand unified manager,
  • oncommand workflow automation -,
  • peoplesoft enterprise fin install 9.2,
  • retail assortment planning 14.1,
  • retail assortment planning 15.0,
  • retail assortment planning 16.0,
  • retail back office 14.0,
  • retail back office 14.1,
  • retail central office 14.0,
  • retail central office 14.1,
  • retail customer insights 15.0,
  • retail customer insights 16.0,
  • retail financial integration 13.2,
  • retail financial integration 14.0,
  • retail financial integration 14.1,
  • retail financial integration 15.0,
  • retail financial integration 16.0,
  • retail integration bus 14.1.2,
  • retail point-of-service 14.0,
  • retail point-of-service 14.1,
  • retail returns management 14.0,
  • retail returns management 14.1,
  • retail xstore point of service 17.0,
  • service architecture leveraging tuxedo 12.1.3.0.0,
  • service architecture leveraging tuxedo 12.2.2.0.0,
  • snapcenter -,
  • spring framework 5.0.5,
  • spring security,
  • storage automation store -,
  • tape library acsls 8.4,
  • weblogic server 10.3.6.0,
  • weblogic server 12.1.3.0,
  • weblogic server 12.2.1.2,
  • weblogic server 12.2.1.3
Technical Analysis