CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Published : 2018-06-25 15:29 Updated : 2019-10-03 00:03

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0
Pivotal Software Spring Framework 4.3.1 cpe:/a:pivotal_software:spring_framework:4.3.1
Pivotal Software Spring Framework 4.3.2 cpe:/a:pivotal_software:spring_framework:4.3.2
Pivotal Software Spring Framework 4.3.3 cpe:/a:pivotal_software:spring_framework:4.3.3
Pivotal Software Spring Framework 4.3.4 cpe:/a:pivotal_software:spring_framework:4.3.4
Pivotal Software Spring Framework 4.3.5 cpe:/a:pivotal_software:spring_framework:4.3.5
Pivotal Software Spring Framework 4.3.6 cpe:/a:pivotal_software:spring_framework:4.3.6
Pivotal Software Spring Framework 4.3.7 cpe:/a:pivotal_software:spring_framework:4.3.7
Pivotal Software Spring Framework 4.3.8 cpe:/a:pivotal_software:spring_framework:4.3.8
Pivotal Software Spring Framework 4.3.9 cpe:/a:pivotal_software:spring_framework:4.3.9
Pivotal Software Spring Framework 4.3.10 cpe:/a:pivotal_software:spring_framework:4.3.10
Pivotal Software Spring Framework 4.3.11 cpe:/a:pivotal_software:spring_framework:4.3.11
Pivotal Software Spring Framework 4.3.12 cpe:/a:pivotal_software:spring_framework:4.3.12
Pivotal Software Spring Framework 4.3.13 cpe:/a:pivotal_software:spring_framework:4.3.13
Pivotal Software Spring Framework 4.3.14 cpe:/a:pivotal_software:spring_framework:4.3.14
Pivotal Software Spring Framework 4.3.15 cpe:/a:pivotal_software:spring_framework:4.3.15
Pivotal Software Spring Framework 4.3.16 cpe:/a:pivotal_software:spring_framework:4.3.16
Pivotal Software Spring Framework 4.3.17 cpe:/a:pivotal_software:spring_framework:4.3.17
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0
Pivotal Software Spring Framework 5.0.1 cpe:/a:pivotal_software:spring_framework:5.0.1
Pivotal Software Spring Framework 5.0.2 cpe:/a:pivotal_software:spring_framework:5.0.2
Pivotal Software Spring Framework 5.0.3 cpe:/a:pivotal_software:spring_framework:5.0.3
Pivotal Software Spring Framework 5.0.4 cpe:/a:pivotal_software:spring_framework:5.0.4
Pivotal Software Spring Framework 5.0.5 cpe:/a:pivotal_software:spring_framework:5.0.5
Pivotal Software Spring Framework 5.0.6 cpe:/a:pivotal_software:spring_framework:5.0.6
Oracle Agile Product Lifecycle Management 9.3.3 cpe:/a:oracle:agile_product_lifecycle_management:9.3.3
Oracle Agile Product Lifecycle Management 9.3.4 cpe:/a:oracle:agile_product_lifecycle_management:9.3.4
Oracle Agile Product Lifecycle Management 9.3.5 cpe:/a:oracle:agile_product_lifecycle_management:9.3.5
Oracle Application Testing Suite 12.5.0.3 cpe:/a:oracle:application_testing_suite:12.5.0.3
Oracle Application Testing Suite 13.1.0.1 cpe:/a:oracle:application_testing_suite:13.1.0.1
Oracle Application Testing Suite 13.2.0.1 cpe:/a:oracle:application_testing_suite:13.2.0.1
Oracle Application Testing Suite 13.3.0.1 cpe:/a:oracle:application_testing_suite:13.3.0.1
Oracle Communications Unified Inventory Management 7.3.2 cpe:/a:oracle:communications_unified_inventory_management:7.3.2
Oracle Communications Unified Inventory Management 7.3.4 cpe:/a:oracle:communications_unified_inventory_management:7.3.4
Oracle Communications Unified Inventory Management 7.3.5 cpe:/a:oracle:communications_unified_inventory_management:7.3.5
Oracle Communications Unified Inventory Management 7.4.0 cpe:/a:oracle:communications_unified_inventory_management:7.4.0
Oracle Endeca Information Discovery Integrator 3.1.0 cpe:/a:oracle:endeca_information_discovery_integrator:3.1.0
Oracle Endeca Information Discovery Integrator 3.2.0 cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0
Oracle Enterprise Manager 13.2 cpe:/a:oracle:enterprise_manager:13.2::~~~mysql~~
Oracle Enterprise Manager Ops Center 12.3.3 cpe:/a:oracle:enterprise_manager_ops_center:12.3.3
Oracle Flexcube Private Banking 2.0.0.0 cpe:/a:oracle:flexcube_private_banking:2.0.0.0
Oracle Flexcube Private Banking 2.2.0.1 cpe:/a:oracle:flexcube_private_banking:2.2.0.1
Oracle Flexcube Private Banking 12.0.1.0 cpe:/a:oracle:flexcube_private_banking:12.0.1.0
Oracle Flexcube Private Banking 12.0.3.0 cpe:/a:oracle:flexcube_private_banking:12.0.3.0
Oracle Flexcube Private Banking 12.1.0.0 cpe:/a:oracle:flexcube_private_banking:12.1.0.0
Oracle Healthcare Master Person Index 3.0 cpe:/a:oracle:healthcare_master_person_index:3.0
Oracle Healthcare Master Person Index 4.0 cpe:/a:oracle:healthcare_master_person_index:4.0
Oracle Hospitality Guest Access 4.2.0 cpe:/a:oracle:hospitality_guest_access:4.2.0
Oracle Hospitality Guest Access 4.2.1 cpe:/a:oracle:hospitality_guest_access:4.2.1
Oracle Insurance Rules Palette 10.0 cpe:/a:oracle:insurance_rules_palette:10.0
Oracle Insurance Rules Palette 10.2 cpe:/a:oracle:insurance_rules_palette:10.2
Oracle Micros Lucas 2.9.5 cpe:/a:oracle:micros_lucas:2.9.5
Oracle Mysql Enterprise Monitor 3.4.9.4237 cpe:/a:oracle:mysql_enterprise_monitor:3.4.9.4237
Oracle Product Lifecycle Management 9.3.6 cpe:/a:oracle:product_lifecycle_management:9.3.6
Oracle Retail Customer Insights 15.0 cpe:/a:oracle:retail_customer_insights:15.0
Oracle Retail Customer Insights 16.0 cpe:/a:oracle:retail_customer_insights:16.0
Oracle Utilities Network Management System 1.12.0.3 cpe:/a:oracle:utilities_network_management_system:1.12.0.3
Oracle Weblogic Server 12.2.1.3.0 cpe:/a:oracle:weblogic_server:12.2.1.3.0
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:-
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc1
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:-
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone4
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone5
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc4
  1. Oracle (16) Search CVE
    1. Retail Customer Insights (2) Search CVE
      1. 15.0
      2. 16.0
    2. Weblogic Server (1) Search CVE
      1. 12.2.1.3.0
    3. Enterprise Manager (1) Search CVE
      1. 13.2
    4. Hospitality Guest Access (2) Search CVE
      1. 4.2.0
      2. 4.2.1
    5. Flexcube Private Banking (5) Search CVE
      1. 2.0.0.0
      2. 2.2.0.1
      3. 12.0.1.0
      4. 12.0.3.0
      5. 12.1.0.0
    6. Product Lifecycle Management (1) Search CVE
      1. 9.3.6
    7. Endeca Information Discovery Integrator (2) Search CVE
      1. 3.1.0
      2. 3.2.0
    8. Enterprise Manager Ops Center (1) Search CVE
      1. 12.3.3
    9. Insurance Rules Palette (2) Search CVE
      1. 10.0
      2. 10.2
    10. Application Testing Suite (4) Search CVE
      1. 12.5.0.3
      2. 13.1.0.1
      3. 13.2.0.1
      4. 13.3.0.1
    11. Agile Product Lifecycle Management (3) Search CVE
      1. 9.3.3
      2. 9.3.4
      3. 9.3.5
    12. Mysql Enterprise Monitor (1) Search CVE
      1. 3.4.9.4237
    13. Micros Lucas (1) Search CVE
      1. 2.9.5
    14. Healthcare Master Person Index (2) Search CVE
      1. 3.0
      2. 4.0
    15. Utilities Network Management System (1) Search CVE
      1. 1.12.0.3
    16. Communications Unified Inventory Management (4) Search CVE
      1. 7.3.2
      2. 7.3.4
      3. 7.3.5
      4. 7.4.0
  2. Pivotal Software (1) Search CVE
    1. Spring Framework (25) Search CVE
      1. 4.3.0
      2. 4.3.1
      3. 4.3.2
      4. 4.3.3
      5. 4.3.4
      6. 4.3.5
      7. 4.3.6
      8. 4.3.7
      9. 4.3.8
      10. 4.3.9
      11. 4.3.10
      12. 4.3.11
      13. 4.3.12
      14. 4.3.13
      15. 4.3.14
      16. 4.3.15
      17. 4.3.16
      18. 4.3.17
      19. 5.0.0
      20. 5.0.1
      21. 5.0.2
      22. 5.0.3
      23. 5.0.4
      24. 5.0.5
      25. 5.0.6

CWE

ID Name Description Links
CWE-829 Inclusion of Functionality from Untrusted Control Sphere The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. CVE

History of changes

Date Event
2019-10-03 00:03
2019-07-23 23:15
2019-05-10 18:19
2019-04-23 19:31
2019-01-16 19:29
2018-10-17 01:31
2018-08-30 16:19
2018-06-25 15:29

New CVE