Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
References
Link | Resource |
---|---|
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | Patch Third Party Advisory |
http://www.securityfocus.com/bid/107984 | Broken Link Third Party Advisory VDB Entry |
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html | Mailing List Third Party Advisory |
https://pivotal.io/security/cve-2018-11039 | Mitigation Vendor Advisory |
https://www.oracle.com/security-alerts/cpujan2020.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2020.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: dell
Published: 2018-06-14T00:00:00
Updated: 2021-10-20T10:37:56
Reserved: 2018-05-14T00:00:00
Link: CVE-2018-11039
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-06-25T15:29:00.317
Modified: 2022-06-23T16:30:58.723
Link: CVE-2018-11039
JSON object: View
Redhat Information
No data.
CWE