Vulnerability Description
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | < 4.3.18 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Application Testing Suite | 12.5.0.3 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Network Integrity | >= 7.3.2, <= 7.3.6 |
| Oracle | Communications Online Mediation Controller | 6.1 |
| Oracle | Communications Performance Intelligence Center | < 10.2.1 |
| Oracle | Communications Services Gatekeeper | < 6.1.0.4.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Endeca Information Discovery Integrator | 3.1.0 |
| Oracle | Enterprise Manager Base Platform | 12.1.0.5.0 |
| Oracle | Enterprise Manager For Mysql Database | 13.2 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
| Oracle | Health Sciences Information Manager | 3.0 |
| Oracle | Healthcare Master Person Index | 3.0 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Insurance Calculation Engine | >= 11.0.0, <= 11.3.1 |
| Oracle | Insurance Rules Palette | 10.0 |
| Oracle | Micros Lucas | 2.9.5 |
| Oracle | Mysql Enterprise Monitor | <= 3.4.9.4237 |
References
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/107984Broken LinkThird Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing ListThird Party Advisory
- https://pivotal.io/security/cve-2018-11039MitigationVendor Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatchThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/107984Broken LinkThird Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing ListThird Party Advisory
- https://pivotal.io/security/cve-2018-11039MitigationVendor Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
FAQ
What is CVE-2018-11039?
CVE-2018-11039 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including ...
How severe is CVE-2018-11039?
CVE-2018-11039 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-11039?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Framework, Oracle Agile Plm, Oracle Application Testing Suite, Oracle Communications Diameter Signaling Router, Oracle Communications Network Integrity.