CVE-2018-1257
Denial of Service in org.springframework:spring-core
6.5
MEDIUM
CVSS 3.1
EPSS 1.2%
Description
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
How to fix CVE-2018-1257
To remediate CVE-2018-1257, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.19-1 or later
- —upgrade to 5.0.6 or later
Is CVE-2018-1257 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.3.19-1
- >= 5.0.0, < 5.0.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |