CVE-2018-11039

{"id": "CVE-2018-11039", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2018-06-25T15:29:00.317", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "http://www.securityfocus.com/bid/107984", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "security_alert@emc.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "https://pivotal.io/security/cve-2018-11039", "tags": ["Mitigation", "Vendor Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "tags": ["Patch", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/107984", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pivotal.io/security/cve-2018-11039", "tags": ["Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack."}, {"lang": "es", "value": "Spring Framework (versiones 5.0.x anteriores a la 5.0.7, versiones 4.3.x anteriores a la 4.3.18 y versiones anteriores sin soporte) permite que las aplicaciones web cambien el m\u00e9todo de petici\u00f3n HTTP a cualquier m\u00e9todo HTTP (incluyendo TRACE) utilizando HiddenHttpMethodFilter en Spring MVC. Si una aplicaci\u00f3n tiene una vulnerabilidad Cross-Site Scripting (XSS) preexistente, un usuario (o atacante) malicioso puede emplear este filtro para escalar a un ataque XST (Cross Site Tracing)."}], "lastModified": "2024-11-21T03:42:32.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D3891F0-7BAE-45DD-992E-57DACE8ADEFE", "versionEndExcluding": "4.3.18"}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8331CA8D-B3F4-4999-8E1C-E2AA9C834CAD", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D"}, {"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCF62B0C-A8BD-40E6-9E4E-E684F4E87ACD"}, {"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7"}, {"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2"}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17EA8B91-7634-4636-B647-1049BA7CA088"}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B4DF46F-DBCC-41F2-A260-F83A14838F23"}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10F17843-32EA-4C31-B65C-F424447BEF7B"}, {"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A125E817-F974-4509-872C-B71933F42AD1"}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF5A0F0D-313D-4F5C-AD6D-8C118D5CD8D8", "versionEndExcluding": "8.3"}, {"criteria": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ABD748C9-24F6-4739-9772-208B98616EE2", "versionEndIncluding": "7.3.6", "versionStartIncluding": "7.3.2"}, {"criteria": "cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15817206-C2AD-47B7-B40F-85BB36DB4E78"}, {"criteria": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "468931C8-C76A-4E47-BF00-185D85F719C5", "versionEndExcluding": "10.2.1"}, {"criteria": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97C1FA4C-5163-420C-A01A-EA36F1039BBB", "versionEndExcluding": "6.1.0.4.0"}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B58BCDA-E173-4D4A-A9C5-E9BFF7E57F58"}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C"}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1"}, {"criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "539DA24F-E3E0-4455-84C6-A9D96CD601B3"}, {"criteria": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B65CD29-C729-42AC-925E-014BA19581E2"}, {"criteria": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E856B4A-6AE7-4317-921A-35B4D2048652"}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98F3E643-4B65-4668-BB11-C61ED54D5A53"}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "459B4A5F-A6BD-4A1C-B6B7-C979F005EB70"}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDCE0E90-495E-4437-8529-3C36441FB69D"}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51C25F23-6800-48A2-881C-C2A2C3FA045C"}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E"}, {"criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9027528A-4FE7-4E3C-B2DF-CCCED22128F5"}, {"criteria": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A699D02-296B-411E-9658-5893240605D6"}, {"criteria": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7036576C-2B1F-413D-B154-2DBF9BFDE7E3"}, {"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148"}, {"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94"}, {"criteria": "cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E08D4207-DB46-42D6-A8C9-1BE857483B88", "versionEndIncluding": "11.3.1", "versionStartIncluding": "11.0.0"}, {"criteria": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "641D134E-6C51-4DB8-8554-F6B5222EF479"}, {"criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB6321F8-7A0A-4DB8-9889-3527023C652A"}, {"criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02867DC7-E669-43C0-ACC4-E1CAA8B9994C"}, {"criteria": "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98EE20FD-3D21-4E23-95B8-7BD13816EB95"}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A94B32D-6B5F-4E42-8345-4F9126A89435", "versionEndIncluding": "3.4.9.4237"}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF71D94F-EFC5-4390-A380-AC0E5DB05516", "versionEndIncluding": "4.0.6.5281", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33EFAF19-A639-47AD-9CDC-D174C91F0F00", "versionEndIncluding": "8.0.2.8191", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0745445C-EC43-4091-BA7C-5105AFCC6F1F"}, {"criteria": "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "517E0654-F1DE-43C4-90B5-FB90CA31734B"}, {"criteria": "cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "921B7906-A20A-4313-9398-D542A4198BBF"}, {"criteria": "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D09C6958-DD7C-4B43-B7F0-4EE65ED5B582"}, {"criteria": "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BBFE031-4BD1-4501-AC62-DC0AFC2167B7"}, {"criteria": "cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE91D517-D85D-4A8D-90DC-4561BBF8670E"}, {"criteria": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD4AB77A-E829-4603-AF6A-97B9CD0D687F"}, {"criteria": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DE15D64-6F49-4F43-8079-0C7827384C86"}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACB5604C-69AF-459D-A82D-8A3B78CF2655"}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "655CF3AE-B649-4282-B727-8B3C5D829C40"}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53CFE454-3E73-4A88-ABEE-322139B169A8"}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "457C8C66-FB0C-4532-9027-8777CF42D17A"}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF2B9DA6-2937-4574-90DF-09FD770B23D4"}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20357086-0C32-44B5-A1FA-79283E88FB47"}, {"criteria": "cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B05A34B4-A853-456C-BD56-3B3FD6397424"}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A17D989-66AC-4A17-AB4D-E0EC045FB457"}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14285308-8564-4858-8D31-E40E57B27390"}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0BBB59C-D3B4-4CA9-870B-3FB9118F3F4E"}, {"criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21973CDD-D16E-4321-9F8E-67F4264D7C21"}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218"}, {"criteria": "cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE188B12-D28E-490C-9948-F5305A7D55BF"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B40B13B7-68B3-4510-968C-6A730EB46462"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C93CC705-1F8C-4870-99E6-14BF264C3811"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}