CVE-2018-11039
MEDIUMSpring Framework < 4.3.18 - HTTP Method Override to Cross-Site Tracing
Title source: llmDescription
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
References (10)
Core 10
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107984
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Patch, Third Party Advisory x_refsource_confirm
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Mitigation, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2018-11039
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
5.9
EPSS
0.0260
EPSS Percentile
85.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (50)
debian/debian_linux
9.0
oracle/agile_plm
9.3.3
oracle/agile_plm
9.3.4
oracle/agile_plm
9.3.5
oracle/agile_plm
9.3.6
oracle/application_testing_suite
12.5.0.3
oracle/application_testing_suite
13.1.0.1
oracle/application_testing_suite
13.2.0.1
oracle/application_testing_suite
13.3.0.1
oracle/communications_diameter_signaling_router
< 8.3
... and 40 more
Published
Jun 25, 2018
Tracked Since
Feb 18, 2026