CVE-2018-11040
Moderate severity vulnerability that affects org.springframework:spring-core
Description
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
How to fix CVE-2018-11040
To remediate CVE-2018-11040, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.19-1 or later
- —upgrade to 5.0.7.RELEASE or later
Is CVE-2018-11040 being exploited?
Moderate — EPSS is 6.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 4.3.19-1
- >= 5.0.0.RELEASE, < 5.0.7.RELEASE
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |