Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
References
Link | Resource |
---|---|
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | Patch Third Party Advisory |
http://www.securityfocus.com/bid/107984 | Broken Link Third Party Advisory VDB Entry |
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html | Mailing List Third Party Advisory |
https://pivotal.io/security/cve-2018-11039 | Mitigation Vendor Advisory |
https://www.oracle.com/security-alerts/cpujan2020.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2020.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | Patch Third Party Advisory |
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
23 Jun 2022, 16:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* | |
First Time |
Vmware spring Framework
Vmware |
|
References | (BID) http://www.securityfocus.com/bid/107984 - Broken Link, Third Party Advisory, VDB Entry |
13 Apr 2022, 14:51
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2020.html - Patch, Third Party Advisory | |
References | (CONFIRM) http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/107984 - Broken Link | |
References | (CONFIRM) https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html - Mailing List, Third Party Advisory | |
First Time |
Oracle retail Advanced Inventory Planning
Oracle endeca Information Discovery Integrator Oracle retail Financial Integration Oracle communications Diameter Signaling Router Oracle retail Integration Bus Oracle micros Lucas Oracle health Sciences Information Manager Oracle enterprise Manager Ops Center Oracle weblogic Server Oracle mysql Enterprise Monitor Oracle retail Markdown Optimization Oracle primavera P6 Enterprise Project Portfolio Management Oracle communications Network Integrity Oracle application Testing Suite Oracle retail Xstore Point Of Service Oracle retail Predictive Application Server Oracle communications Online Mediation Controller Oracle communications Services Gatekeeper Debian debian Linux Oracle utilities Network Management System Oracle Oracle hospitality Guest Access Oracle enterprise Manager Base Platform Oracle healthcare Master Person Index Oracle agile Plm Oracle retail Clearance Optimization Engine Oracle insurance Calculation Engine Oracle enterprise Manager For Mysql Database Oracle retail Assortment Planning Oracle insurance Rules Palette Debian Oracle communications Performance Intelligence Center Oracle retail Customer Insights Oracle communications Unified Inventory Management |
20 Oct 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Apr 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2018-06-25 15:29
Updated : 2023-12-10 12:30
NVD link : CVE-2018-11039
Mitre link : CVE-2018-11039
CVE.ORG link : CVE-2018-11039
JSON object : View
Products Affected
oracle
- communications_performance_intelligence_center
- retail_clearance_optimization_engine
- retail_customer_insights
- retail_predictive_application_server
- endeca_information_discovery_integrator
- enterprise_manager_for_mysql_database
- enterprise_manager_ops_center
- primavera_p6_enterprise_project_portfolio_management
- insurance_rules_palette
- retail_assortment_planning
- weblogic_server
- retail_advanced_inventory_planning
- retail_markdown_optimization
- retail_financial_integration
- agile_plm
- health_sciences_information_manager
- retail_xstore_point_of_service
- communications_online_mediation_controller
- mysql_enterprise_monitor
- communications_services_gatekeeper
- communications_unified_inventory_management
- application_testing_suite
- utilities_network_management_system
- enterprise_manager_base_platform
- micros_lucas
- retail_integration_bus
- hospitality_guest_access
- healthcare_master_person_index
- communications_diameter_signaling_router
- communications_network_integrity
- insurance_calculation_engine
vmware
- spring_framework
debian
- debian_linux
CWE