CVE-2018-1258

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch Third Party Advisory
http://www.securityfocus.com/bid/104222	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041888	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041896	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:2413	Patch Third Party Advisory
https://pivotal.io/security/cve-2018-1258	Vendor Advisory
https://security.netapp.com/advisory/ntap-20181018-0002/	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pivotal_software:spring_security::::::::
	cpe:2.3:a:vmware:spring_framework:5.0.5:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.4:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:application_testing_suite:10.1:::::::*
	cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
	cpe:2.3:a:oracle:big_data_discovery:1.6.0:::::::*
	cpe:2.3:a:oracle:communications_converged_application_server::::::::
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_network_integrity::::::::
	cpe:2.3:a:oracle:communications_performance_intelligence_center::::::::
	cpe:2.3:a:oracle:communications_services_gatekeeper::::::::
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:::::::*
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
	cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:::::::*
	cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:::::::*
	cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:::::::*
	cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:::::::*
	cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:::::::*
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0:::::::*
	cpe:2.3:a:oracle:healthcare_master_person_index:3.0:::::::*
	cpe:2.3:a:oracle:healthcare_master_person_index:4.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
	cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:::::::*
	cpe:2.3:a:oracle:insurance_calculation_engine:10.2:::::::*
	cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration:10.0:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration:10.1:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration:10.2:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration:11.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.1:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.1:::::::*
	cpe:2.3:a:oracle:micros_lucas:2.9.5:::::::*
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:14.1:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:15.0:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:16.0:::::::*
	cpe:2.3:a:oracle:retail_back_office:14.0:::::::*
	cpe:2.3:a:oracle:retail_back_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_central_office:14.0:::::::*
	cpe:2.3:a:oracle:retail_central_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_customer_insights:15.0:::::::*
	cpe:2.3:a:oracle:retail_customer_insights:16.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:13.2:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:14.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:14.1:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:15.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:16.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:14.1.2:::::::*
	cpe:2.3:a:oracle:retail_point-of-service:14.0:::::::*
	cpe:2.3:a:oracle:retail_point-of-service:14.1:::::::*
	cpe:2.3:a:oracle:retail_returns_management:14.0:::::::*
	cpe:2.3:a:oracle:retail_returns_management:14.1:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:::::::*
cpe:2.3:a:oracle:tape_library_acsls:8.4:::::::*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.2:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_unified_manager::::::windows::*
	cpe:2.3:a:netapp:oncommand_unified_manager::::::vsphere::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:storage_automation_store:-:::::::*

Configuration 4 (hide)

cpe:2.3:a:redhat:fuse:7.3.0:*:*:*:*:*:*:*

History

11 Apr 2022, 17:18

Type	Values Removed	Values Added
CPE	cpe:2.3:a:pivotal_software:spring_framework:5.0.5:::::::*	cpe:2.3:a:vmware:spring_framework:5.0.5:::::::*
First Time		Vmware Vmware spring Framework

16 Dec 2021, 18:21

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::* cpe:2.3:a:oracle:communications_network_integrity:::::::: cpe:2.3:a:redhat:fuse:7.3.0:::::::*
References	~~(MISC) https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html -~~	(MISC) https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory
References	~~(REDHAT) https://access.redhat.com/errata/RHSA-2019:2413 -~~	(REDHAT) https://access.redhat.com/errata/RHSA-2019:2413 - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujul2020.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com/security-alerts/cpuapr2020.html -~~	(N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2020.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2020.html - Patch, Third Party Advisory

20 Oct 2021, 11:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

20 Jan 2021, 15:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2021.html -

Information

Published : 2018-05-11 20:29

Updated : 2023-12-10 12:30

NVD link : CVE-2018-1258

Mitre link : CVE-2018-1258

CVE.ORG link : CVE-2018-1258

JSON object : View

Products Affected

oracle

communications_performance_intelligence_center
communications_converged_application_server
insurance_calculation_engine
weblogic_server
goldengate_for_big_data
communications_services_gatekeeper
hospitality_guest_access
health_sciences_information_manager
retail_central_office
communications_diameter_signaling_router
retail_point-of-service
insurance_rules_palette
enterprise_repository
enterprise_manager_ops_center
tape_library_acsls
retail_back_office
mysql_enterprise_monitor
retail_assortment_planning
agile_plm
insurance_policy_administration
micros_lucas
enterprise_manager_for_mysql_database
communications_network_integrity
healthcare_master_person_index
service_architecture_leveraging_tuxedo
retail_xstore_point_of_service
endeca_information_discovery_integrator
retail_customer_insights
application_testing_suite
big_data_discovery
retail_financial_integration
retail_returns_management
peoplesoft_enterprise_fin_install
retail_integration_bus

netapp

snapcenter
oncommand_unified_manager
oncommand_workflow_automation
oncommand_insight
storage_automation_store

redhat

fuse

pivotal_software

spring_security

vmware

spring_framework

CWE

CWE-863

Incorrect Authorization

8.8 /10