CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Published : 2018-05-11 20:29 Updated : 2019-07-23 23:15

4.0
CVSS Score More info
Score 4.0 / 10
4.0
Vendor Product Version URI
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0
Pivotal Software Spring Framework 4.3.1 cpe:/a:pivotal_software:spring_framework:4.3.1
Pivotal Software Spring Framework 4.3.2 cpe:/a:pivotal_software:spring_framework:4.3.2
Pivotal Software Spring Framework 4.3.3 cpe:/a:pivotal_software:spring_framework:4.3.3
Pivotal Software Spring Framework 4.3.4 cpe:/a:pivotal_software:spring_framework:4.3.4
Redhat Openshift - cpe:/a:redhat:openshift:-
Pivotal Software Spring Framework 4.3.5 cpe:/a:pivotal_software:spring_framework:4.3.5
Pivotal Software Spring Framework 4.3.6 cpe:/a:pivotal_software:spring_framework:4.3.6
Pivotal Software Spring Framework 4.3.7 cpe:/a:pivotal_software:spring_framework:4.3.7
Pivotal Software Spring Framework 4.3.8 cpe:/a:pivotal_software:spring_framework:4.3.8
Pivotal Software Spring Framework 4.3.9 cpe:/a:pivotal_software:spring_framework:4.3.9
Pivotal Software Spring Framework 4.3.10 cpe:/a:pivotal_software:spring_framework:4.3.10
Pivotal Software Spring Framework 4.3.11 cpe:/a:pivotal_software:spring_framework:4.3.11
Pivotal Software Spring Framework 4.3.12 cpe:/a:pivotal_software:spring_framework:4.3.12
Pivotal Software Spring Framework 4.3.13 cpe:/a:pivotal_software:spring_framework:4.3.13
Pivotal Software Spring Framework 4.3.14 cpe:/a:pivotal_software:spring_framework:4.3.14
Pivotal Software Spring Framework 4.3.15 cpe:/a:pivotal_software:spring_framework:4.3.15
Pivotal Software Spring Framework 4.3.16 cpe:/a:pivotal_software:spring_framework:4.3.16
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0
Pivotal Software Spring Framework 5.0.1 cpe:/a:pivotal_software:spring_framework:5.0.1
Pivotal Software Spring Framework 5.0.2 cpe:/a:pivotal_software:spring_framework:5.0.2
Pivotal Software Spring Framework 5.0.3 cpe:/a:pivotal_software:spring_framework:5.0.3
Pivotal Software Spring Framework 5.0.4 cpe:/a:pivotal_software:spring_framework:5.0.4
Pivotal Software Spring Framework 5.0.5 cpe:/a:pivotal_software:spring_framework:5.0.5
Oracle Agile Product Lifecycle Management 9.3.3 cpe:/a:oracle:agile_product_lifecycle_management:9.3.3
Oracle Agile Product Lifecycle Management 9.3.4 cpe:/a:oracle:agile_product_lifecycle_management:9.3.4
Oracle Agile Product Lifecycle Management 9.3.5 cpe:/a:oracle:agile_product_lifecycle_management:9.3.5
Oracle Agile Product Lifecycle Management 9.3.6 cpe:/a:oracle:agile_product_lifecycle_management:9.3.6
Oracle Application Testing Suite 12.5.0.3 cpe:/a:oracle:application_testing_suite:12.5.0.3
Oracle Application Testing Suite 13.1.0.1 cpe:/a:oracle:application_testing_suite:13.1.0.1
Oracle Application Testing Suite 13.2.0.1 cpe:/a:oracle:application_testing_suite:13.2.0.1
Oracle Application Testing Suite 13.3.0.1 cpe:/a:oracle:application_testing_suite:13.3.0.1
Oracle Big Data Discovery 1.6.0 cpe:/a:oracle:big_data_discovery:1.6.0
Oracle Communications Diameter Signaling Router 6.0 cpe:/a:oracle:communications_diameter_signaling_router:6.0
Oracle Communications Diameter Signaling Router 8.1 cpe:/a:oracle:communications_diameter_signaling_router:8.1
Oracle Communications Diameter Signaling Router 8.2 cpe:/a:oracle:communications_diameter_signaling_router:8.2
Oracle Endeca Information Discovery Integrator 3.1.0 cpe:/a:oracle:endeca_information_discovery_integrator:3.1.0
Oracle Endeca Information Discovery Integrator 3.2.0 cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0
Oracle Enterprise Manager For Mysql Database 13.2 cpe:/a:oracle:enterprise_manager_for_mysql_database:13.2
Oracle Goldengate For Big Data 12.2.0.1 cpe:/a:oracle:goldengate_for_big_data:12.2.0.1
Oracle Goldengate For Big Data 12.3.1.1 cpe:/a:oracle:goldengate_for_big_data:12.3.1.1
Oracle Goldengate For Big Data 12.3.2.1 cpe:/a:oracle:goldengate_for_big_data:12.3.2.1
Oracle Health Sciences Information Manager 3.0 cpe:/a:oracle:health_sciences_information_manager:3.0
Oracle Healthcare Master Person Index 3.0 cpe:/a:oracle:healthcare_master_person_index:3.0
Oracle Healthcare Master Person Index 4.0 cpe:/a:oracle:healthcare_master_person_index:4.0
Oracle Hospitality Guest Access 4.2.0 cpe:/a:oracle:hospitality_guest_access:4.2.0
Oracle Hospitality Guest Access 4.2.1 cpe:/a:oracle:hospitality_guest_access:4.2.1
Oracle Insurance Calculation Engine 10.1.1 cpe:/a:oracle:insurance_calculation_engine:10.1.1
Oracle Insurance Calculation Engine 10.2 cpe:/a:oracle:insurance_calculation_engine:10.2
Oracle Insurance Calculation Engine 10.2.1 cpe:/a:oracle:insurance_calculation_engine:10.2.1
Oracle Insurance Rules Palette 10.0 cpe:/a:oracle:insurance_rules_palette:10.0
Oracle Insurance Rules Palette 10.1 cpe:/a:oracle:insurance_rules_palette:10.1
Oracle Insurance Rules Palette 10.2 cpe:/a:oracle:insurance_rules_palette:10.2
Oracle Insurance Rules Palette 11.0 cpe:/a:oracle:insurance_rules_palette:11.0
Oracle Insurance Rules Palette 11.1 cpe:/a:oracle:insurance_rules_palette:11.1
Oracle Primavera Gateway 15.2 cpe:/a:oracle:primavera_gateway:15.2
Oracle Primavera Gateway 16.2 cpe:/a:oracle:primavera_gateway:16.2
Oracle Primavera Gateway 17.12 cpe:/a:oracle:primavera_gateway:17.12
Oracle Retail Customer Insights 15.0 cpe:/a:oracle:retail_customer_insights:15.0
Oracle Retail Customer Insights 16.0 cpe:/a:oracle:retail_customer_insights:16.0
Oracle Retail Open Commerce Platform 5.3.0 cpe:/a:oracle:retail_open_commerce_platform:5.3.0
Oracle Retail Open Commerce Platform 6.0.0 cpe:/a:oracle:retail_open_commerce_platform:6.0.0
Oracle Retail Open Commerce Platform 6.0.1 cpe:/a:oracle:retail_open_commerce_platform:6.0.1
Oracle Retail Order Broker 5.1 cpe:/a:oracle:retail_order_broker:5.1
Oracle Retail Order Broker 5.2 cpe:/a:oracle:retail_order_broker:5.2
Oracle Retail Order Broker 15.0 cpe:/a:oracle:retail_order_broker:15.0
Oracle Retail Order Broker 16.0 cpe:/a:oracle:retail_order_broker:16.0
Oracle Retail Predictive Application Server 14.0 cpe:/a:oracle:retail_predictive_application_server:14.0
Oracle Retail Predictive Application Server 14.1 cpe:/a:oracle:retail_predictive_application_server:14.1
Oracle Retail Predictive Application Server 15.0 cpe:/a:oracle:retail_predictive_application_server:15.0
Oracle Retail Predictive Application Server 16.0 cpe:/a:oracle:retail_predictive_application_server:16.0
Oracle Service Architecture Leveraging Tuxedo 12.1.3.0.0 cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0
Oracle Service Architecture Leveraging Tuxedo 12.2.2.0.0 cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0
Oracle Tape Library Acsls 8.4 cpe:/a:oracle:tape_library_acsls:8.4
Oracle Weblogic Server 10.3.6.0.0 cpe:/a:oracle:weblogic_server:10.3.6.0.0
Oracle Weblogic Server 12.1.3.0.0 cpe:/a:oracle:weblogic_server:12.1.3.0.0
Oracle Weblogic Server 12.2.1.3.0 cpe:/a:oracle:weblogic_server:12.2.1.3.0
Oracle Communications Unified Inventory Management 7.3.2 cpe:/a:oracle:communications_unified_inventory_management:7.3.2
Oracle Communications Unified Inventory Management 7.3.4 cpe:/a:oracle:communications_unified_inventory_management:7.3.4
Oracle Communications Unified Inventory Management 7.3.5 cpe:/a:oracle:communications_unified_inventory_management:7.3.5
Oracle Communications Unified Inventory Management 7.4.0 cpe:/a:oracle:communications_unified_inventory_management:7.4.0
Oracle Enterprise Manager Base Platform 12.1.0.5.0 cpe:/a:oracle:enterprise_manager_base_platform:12.1.0.5.0
Oracle Enterprise Manager Base Platform 13.2.0.0.0 cpe:/a:oracle:enterprise_manager_base_platform:13.2.0.0.0
Oracle Enterprise Manager Base Platform 13.3.0.0.0 cpe:/a:oracle:enterprise_manager_base_platform:13.3.0.0.0
Oracle Enterprise Manager Ops Center 12.3.3 cpe:/a:oracle:enterprise_manager_ops_center:12.3.3
Oracle Flexcube Private Banking 2.0.0.0 cpe:/a:oracle:flexcube_private_banking:2.0.0.0
Oracle Flexcube Private Banking 2.2.0.1 cpe:/a:oracle:flexcube_private_banking:2.2.0.1
Oracle Flexcube Private Banking 12.0.1.0 cpe:/a:oracle:flexcube_private_banking:12.0.1.0
Oracle Flexcube Private Banking 12.0.3.0 cpe:/a:oracle:flexcube_private_banking:12.0.3.0
Oracle Flexcube Private Banking 12.1.0.0 cpe:/a:oracle:flexcube_private_banking:12.1.0.0
Oracle Utilities Network Management System 1.12.0.3 cpe:/a:oracle:utilities_network_management_system:1.12.0.3
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:-
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc1
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:-
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone4
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone5
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc4
  1. Oracle (25) Search CVE
    1. Retail Customer Insights (2) Search CVE
      1. 15.0
      2. 16.0
    2. Enterprise Manager Ops Center (1) Search CVE
      1. 12.3.3
    3. Health Sciences Information Manager (1) Search CVE
      1. 3.0
    4. Flexcube Private Banking (5) Search CVE
      1. 2.0.0.0
      2. 2.2.0.1
      3. 12.0.1.0
      4. 12.0.3.0
      5. 12.1.0.0
    5. Big Data Discovery (1) Search CVE
      1. 1.6.0
    6. Endeca Information Discovery Integrator (2) Search CVE
      1. 3.1.0
      2. 3.2.0
    7. Retail Predictive Application Server (4) Search CVE
      1. 14.0
      2. 14.1
      3. 15.0
      4. 16.0
    8. Enterprise Manager Base Platform (3) Search CVE
      1. 12.1.0.5.0
      2. 13.2.0.0.0
      3. 13.3.0.0.0
    9. Application Testing Suite (4) Search CVE
      1. 12.5.0.3
      2. 13.1.0.1
      3. 13.2.0.1
      4. 13.3.0.1
    10. Hospitality Guest Access (2) Search CVE
      1. 4.2.0
      2. 4.2.1
    11. Goldengate For Big Data (3) Search CVE
      1. 12.2.0.1
      2. 12.3.1.1
      3. 12.3.2.1
    12. Healthcare Master Person Index (2) Search CVE
      1. 3.0
      2. 4.0
    13. Enterprise Manager For Mysql Database (1) Search CVE
      1. 13.2
    14. Primavera Gateway (3) Search CVE
      1. 15.2
      2. 16.2
      3. 17.12
    15. Weblogic Server (3) Search CVE
      1. 10.3.6.0.0
      2. 12.1.3.0.0
      3. 12.2.1.3.0
    16. Service Architecture Leveraging Tuxedo (2) Search CVE
      1. 12.1.3.0.0
      2. 12.2.2.0.0
    17. Communications Diameter Signaling Router (3) Search CVE
      1. 6.0
      2. 8.1
      3. 8.2
    18. Utilities Network Management System (1) Search CVE
      1. 1.12.0.3
    19. Tape Library Acsls (1) Search CVE
      1. 8.4
    20. Insurance Rules Palette (5) Search CVE
      1. 10.0
      2. 10.1
      3. 10.2
      4. 11.0
      5. 11.1
    21. Agile Product Lifecycle Management (4) Search CVE
      1. 9.3.3
      2. 9.3.4
      3. 9.3.5
      4. 9.3.6
    22. Retail Open Commerce Platform (3) Search CVE
      1. 5.3.0
      2. 6.0.0
      3. 6.0.1
    23. Communications Unified Inventory Management (4) Search CVE
      1. 7.3.2
      2. 7.3.4
      3. 7.3.5
      4. 7.4.0
    24. Insurance Calculation Engine (3) Search CVE
      1. 10.1.1
      2. 10.2
      3. 10.2.1
    25. Retail Order Broker (4) Search CVE
      1. 5.1
      2. 5.2
      3. 15.0
      4. 16.0
  2. Redhat (1) Search CVE
    1. Openshift (1) Search CVE
      1. -
  3. Pivotal Software (1) Search CVE
    1. Spring Framework (23) Search CVE
      1. 4.3.0
      2. 4.3.1
      3. 4.3.2
      4. 4.3.3
      5. 4.3.4
      6. 4.3.5
      7. 4.3.6
      8. 4.3.7
      9. 4.3.8
      10. 4.3.9
      11. 4.3.10
      12. 4.3.11
      13. 4.3.12
      14. 4.3.13
      15. 4.3.14
      16. 4.3.15
      17. 4.3.16
      18. 5.0.0
      19. 5.0.1
      20. 5.0.2
      21. 5.0.3
      22. 5.0.4
      23. 5.0.5

CWE

ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

History of changes

Date Event
2019-07-23 23:15
2019-05-10 19:14
2019-04-23 19:31
2019-01-16 19:29
2018-12-05 11:29
2018-10-17 01:31
2018-06-18 14:41
2018-06-09 01:29
2018-05-26 01:29
2018-05-11 20:29

New CVE