Vulnerability Description
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Spring Security | All versions |
| Vmware | Spring Framework | 5.0.5 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Application Testing Suite | 10.1 |
| Oracle | Big Data Discovery | 1.6.0 |
| Oracle | Communications Converged Application Server | < 7.0.0.1 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Network Integrity | >= 7.3.2, <= 7.3.6 |
| Oracle | Communications Performance Intelligence Center | < 10.2.1 |
| Oracle | Communications Services Gatekeeper | < 6.1.0.4.0 |
| Oracle | Endeca Information Discovery Integrator | 3.1.0 |
| Oracle | Enterprise Manager For Mysql Database | 13.2 |
| Oracle | Enterprise Manager Ops Center | 12.2.2 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Goldengate For Big Data | 12.2.0.1 |
| Oracle | Health Sciences Information Manager | 3.0 |
| Oracle | Healthcare Master Person Index | 3.0 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Insurance Calculation Engine | 10.1.1 |
| Oracle | Insurance Policy Administration | 10.0 |
Related Weaknesses (CWE)
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/104222Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1041888Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1041896Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2019:2413PatchThird Party Advisory
- https://pivotal.io/security/cve-2018-1258Vendor Advisory
- https://security.netapp.com/advisory/ntap-20181018-0002/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatchThird Party Advisory
FAQ
What is CVE-2018-1258?
CVE-2018-1258 is a vulnerability with a CVSS score of 8.8 (HIGH). Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauth...
How severe is CVE-2018-1258?
CVE-2018-1258 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1258?
Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Security, Vmware Spring Framework, Oracle Agile Plm, Oracle Application Testing Suite, Oracle Big Data Discovery.