CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Published : 2018-04-11 13:29 Updated : 2019-07-03 19:15

7.5
CVSS Score More info
Score 7.5 / 10
7.5
Vendor Product Version URI
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0
Pivotal Software Spring Framework 4.3.1 cpe:/a:pivotal_software:spring_framework:4.3.1
Pivotal Software Spring Framework 4.3.2 cpe:/a:pivotal_software:spring_framework:4.3.2
Pivotal Software Spring Framework 4.3.3 cpe:/a:pivotal_software:spring_framework:4.3.3
Pivotal Software Spring Framework 4.3.4 cpe:/a:pivotal_software:spring_framework:4.3.4
Pivotal Software Spring Framework 4.3.5 cpe:/a:pivotal_software:spring_framework:4.3.5
Pivotal Software Spring Framework 4.3.6 cpe:/a:pivotal_software:spring_framework:4.3.6
Pivotal Software Spring Framework 4.3.7 cpe:/a:pivotal_software:spring_framework:4.3.7
Pivotal Software Spring Framework 4.3.8 cpe:/a:pivotal_software:spring_framework:4.3.8
Pivotal Software Spring Framework 4.3.9 cpe:/a:pivotal_software:spring_framework:4.3.9
Pivotal Software Spring Framework 4.3.10 cpe:/a:pivotal_software:spring_framework:4.3.10
Pivotal Software Spring Framework 4.3.11 cpe:/a:pivotal_software:spring_framework:4.3.11
Pivotal Software Spring Framework 4.3.12 cpe:/a:pivotal_software:spring_framework:4.3.12
Pivotal Software Spring Framework 4.3.13 cpe:/a:pivotal_software:spring_framework:4.3.13
Pivotal Software Spring Framework 4.3.14 cpe:/a:pivotal_software:spring_framework:4.3.14
Pivotal Software Spring Framework 4.3.15 cpe:/a:pivotal_software:spring_framework:4.3.15
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0
Pivotal Software Spring Framework 5.0.1 cpe:/a:pivotal_software:spring_framework:5.0.1
Pivotal Software Spring Framework 5.0.2 cpe:/a:pivotal_software:spring_framework:5.0.2
Pivotal Software Spring Framework 5.0.3 cpe:/a:pivotal_software:spring_framework:5.0.3
Pivotal Software Spring Framework 5.0.4 cpe:/a:pivotal_software:spring_framework:5.0.4
Oracle Application Testing Suite 12.5.0.3 cpe:/a:oracle:application_testing_suite:12.5.0.3
Oracle Application Testing Suite 13.1.0.1 cpe:/a:oracle:application_testing_suite:13.1.0.1
Oracle Application Testing Suite 13.2.0.1 cpe:/a:oracle:application_testing_suite:13.2.0.1
Oracle Application Testing Suite 13.3.0.1 cpe:/a:oracle:application_testing_suite:13.3.0.1
Oracle Big Data Discovery 1.6.0 cpe:/a:oracle:big_data_discovery:1.6.0
Oracle Communications Diameter Signaling Router 6.0 cpe:/a:oracle:communications_diameter_signaling_router:6.0
Oracle Communications Diameter Signaling Router 8.1 cpe:/a:oracle:communications_diameter_signaling_router:8.1
Oracle Communications Diameter Signaling Router 8.2 cpe:/a:oracle:communications_diameter_signaling_router:8.2
Oracle Goldengate For Big Data 12.2.0.1 cpe:/a:oracle:goldengate_for_big_data:12.2.0.1
Oracle Goldengate For Big Data 12.3.1.1 cpe:/a:oracle:goldengate_for_big_data:12.3.1.1
Oracle Goldengate For Big Data 12.3.2.1 cpe:/a:oracle:goldengate_for_big_data:12.3.2.1
Oracle Health Sciences Information Manager 3.0 cpe:/a:oracle:health_sciences_information_manager:3.0
Oracle Healthcare Master Person Index 3.0 cpe:/a:oracle:healthcare_master_person_index:3.0
Oracle Healthcare Master Person Index 4.0 cpe:/a:oracle:healthcare_master_person_index:4.0
Oracle Insurance Calculation Engine 10.1.1 cpe:/a:oracle:insurance_calculation_engine:10.1.1
Oracle Insurance Calculation Engine 10.2 cpe:/a:oracle:insurance_calculation_engine:10.2
Oracle Insurance Calculation Engine 10.2.1 cpe:/a:oracle:insurance_calculation_engine:10.2.1
Oracle Insurance Rules Palette 10.0 cpe:/a:oracle:insurance_rules_palette:10.0
Oracle Insurance Rules Palette 10.1 cpe:/a:oracle:insurance_rules_palette:10.1
Oracle Insurance Rules Palette 10.2 cpe:/a:oracle:insurance_rules_palette:10.2
Oracle Insurance Rules Palette 11.0 cpe:/a:oracle:insurance_rules_palette:11.0
Oracle Insurance Rules Palette 11.1 cpe:/a:oracle:insurance_rules_palette:11.1
Oracle Primavera Gateway 15.2 cpe:/a:oracle:primavera_gateway:15.2
Oracle Primavera Gateway 16.2 cpe:/a:oracle:primavera_gateway:16.2
Oracle Primavera Gateway 17.12 cpe:/a:oracle:primavera_gateway:17.12
Oracle Retail Customer Insights 15.0 cpe:/a:oracle:retail_customer_insights:15.0
Oracle Retail Customer Insights 16.0 cpe:/a:oracle:retail_customer_insights:16.0
Oracle Retail Open Commerce Platform 5.3.0 cpe:/a:oracle:retail_open_commerce_platform:5.3.0
Oracle Retail Open Commerce Platform 6.0.0 cpe:/a:oracle:retail_open_commerce_platform:6.0.0
Oracle Retail Open Commerce Platform 6.0.1 cpe:/a:oracle:retail_open_commerce_platform:6.0.1
Oracle Retail Order Broker 5.1 cpe:/a:oracle:retail_order_broker:5.1
Oracle Retail Order Broker 5.2 cpe:/a:oracle:retail_order_broker:5.2
Oracle Retail Order Broker 15.0 cpe:/a:oracle:retail_order_broker:15.0
Oracle Retail Order Broker 16.0 cpe:/a:oracle:retail_order_broker:16.0
Oracle Retail Predictive Application Server 14.0 cpe:/a:oracle:retail_predictive_application_server:14.0
Oracle Retail Predictive Application Server 14.1 cpe:/a:oracle:retail_predictive_application_server:14.1
Oracle Retail Predictive Application Server 15.0 cpe:/a:oracle:retail_predictive_application_server:15.0
Oracle Retail Predictive Application Server 16.0 cpe:/a:oracle:retail_predictive_application_server:16.0
Oracle Service Architecture Leveraging Tuxedo 12.1.3.0.0 cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0
Oracle Service Architecture Leveraging Tuxedo 12.2.2.0.0 cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0
Oracle Tape Library Acsls 8.4 cpe:/a:oracle:tape_library_acsls:8.4
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:-
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc1
Pivotal Software Spring Framework 4.3.0 cpe:/a:pivotal_software:spring_framework:4.3.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:-
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone4
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:milestone5
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc1
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc2
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc3
Pivotal Software Spring Framework 5.0.0 cpe:/a:pivotal_software:spring_framework:5.0.0:rc4
  1. Oracle (15) Search CVE
    1. Retail Customer Insights (2) Search CVE
      1. 15.0
      2. 16.0
    2. Service Architecture Leveraging Tuxedo (2) Search CVE
      1. 12.1.3.0.0
      2. 12.2.2.0.0
    3. Health Sciences Information Manager (1) Search CVE
      1. 3.0
    4. Communications Diameter Signaling Router (3) Search CVE
      1. 6.0
      2. 8.1
      3. 8.2
    5. Big Data Discovery (1) Search CVE
      1. 1.6.0
    6. Retail Predictive Application Server (4) Search CVE
      1. 14.0
      2. 14.1
      3. 15.0
      4. 16.0
    7. Insurance Rules Palette (5) Search CVE
      1. 10.0
      2. 10.1
      3. 10.2
      4. 11.0
      5. 11.1
    8. Application Testing Suite (4) Search CVE
      1. 12.5.0.3
      2. 13.1.0.1
      3. 13.2.0.1
      4. 13.3.0.1
    9. Retail Order Broker (4) Search CVE
      1. 5.1
      2. 5.2
      3. 15.0
      4. 16.0
    10. Tape Library Acsls (1) Search CVE
      1. 8.4
    11. Goldengate For Big Data (3) Search CVE
      1. 12.2.0.1
      2. 12.3.1.1
      3. 12.3.2.1
    12. Retail Open Commerce Platform (3) Search CVE
      1. 5.3.0
      2. 6.0.0
      3. 6.0.1
    13. Healthcare Master Person Index (2) Search CVE
      1. 3.0
      2. 4.0
    14. Primavera Gateway (3) Search CVE
      1. 15.2
      2. 16.2
      3. 17.12
    15. Insurance Calculation Engine (3) Search CVE
      1. 10.1.1
      2. 10.2
      3. 10.2.1
  2. Pivotal Software (1) Search CVE
    1. Spring Framework (21) Search CVE
      1. 4.3.0
      2. 4.3.1
      3. 4.3.2
      4. 4.3.3
      5. 4.3.4
      6. 4.3.5
      7. 4.3.6
      8. 4.3.7
      9. 4.3.8
      10. 4.3.9
      11. 4.3.10
      12. 4.3.11
      13. 4.3.12
      14. 4.3.13
      15. 4.3.14
      16. 4.3.15
      17. 5.0.0
      18. 5.0.1
      19. 5.0.2
      20. 5.0.3
      21. 5.0.4

CWE

ID Name Description Links
CWE-358 Improperly Implemented Security Check for Standard The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. CVE

History of changes

Date Event
2019-07-03 19:15
2019-03-21 14:25
2019-01-16 19:29
2018-10-18 10:29
2018-10-17 01:31
2018-07-28 01:29
2018-07-19 01:29
2018-05-11 11:40
2018-05-05 01:29
2018-04-19 01:29
2018-04-11 13:29

New CVE