← Back

CVE-2018-15756

nvd nist
Published: Oct 18, 2018Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Affected (114)

Products: Vmware: Spring Framework · Oracle: Agile Plm, Communications Brm Elastic Charging Engine, Communications Converged Application Server Service Controller, Communications Diameter Signaling Router, Communications Element Manager, Communications Online Mediation Controller, Communications Session Report Manager, Communications Session Route Manager, Communications Unified Inventory Management, Endeca Information Discovery Integrator, Enterprise Manager For Fusion Applications, Enterprise Manager Ops Center, Financial Services Analytical Applications Infrastructure, Flexcube Private Banking, Goldengate Application Adapters, Healthcare Master Person Index, Identity Manager Connector, Insurance Calculation Engine, Insurance Policy Administration J2ee, Insurance Rules Palette, Mysql Enterprise Monitor, Primavera Analytics, Primavera Gateway, Rapid Planning, Retail Advanced Inventory Planning, Retail Assortment Planning, Retail Clearance Optimization Engine, Retail Financial Integration, Retail Integration Bus, Retail Invoice Matching, Retail Markdown Optimization, Retail Order Broker, Retail Predictive Application Server, Retail Service Backbone, Retail Xstore Point Of Service, Tape Library Acsls, Webcenter Sites, Weblogic Server · Debian: Debian Linux
Vmware
1 product
Spring Framework
Oracle
38 products
Agile Plm
Communications Brm Elastic Charging Engine
Communications Converged Application Server Service Controller
Communications Diameter Signaling Router
Communications Element Manager
Communications Online Mediation Controller
Communications Session Report Manager
Communications Session Route Manager
Communications Unified Inventory Management
Endeca Information Discovery Integrator
Enterprise Manager For Fusion Applications
Enterprise Manager Ops Center
Financial Services Analytical Applications Infrastructure
Flexcube Private Banking
Goldengate Application Adapters
Healthcare Master Person Index
Identity Manager Connector
Insurance Calculation Engine
Insurance Policy Administration J2ee
Insurance Rules Palette
Mysql Enterprise Monitor
Primavera Analytics
Primavera Gateway
Rapid Planning
Retail Advanced Inventory Planning
Retail Assortment Planning
Retail Clearance Optimization Engine
Retail Financial Integration
Retail Integration Bus
Retail Invoice Matching
Retail Markdown Optimization
Retail Order Broker
Retail Predictive Application Server
Retail Service Backbone
Retail Xstore Point Of Service
Tape Library Acsls
Webcenter Sites
Weblogic Server
Debian
1 product
Debian Linux
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Vmware
Spring Framework
From 4.2.0 to 4.3.20
Spring Framework
From 5.0.0 to 5.0.10
Spring Framework
Version 5.1.0
Configuration B
110 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Agile Plm
Version 9.3.3
Agile Plm
Version 9.3.4
Agile Plm
Version 9.3.5
Agile Plm
Version 9.3.6
Oracle
Communications Brm Elastic Charging Engine
Version 11.3
Communications Brm Elastic Charging Engine
Version 12.0
Oracle
Communications Converged Application Server Service Controller
Version 6.0
Communications Converged Application Server Service Controller
Version 6.1
Oracle
Communications Diameter Signaling Router
Version 8.0.0
Communications Diameter Signaling Router
Version 8.1
Communications Diameter Signaling Router
Version 8.2.1
Communications Diameter Signaling Router
Version 8.2
Oracle
Communications Element Manager
Version 8.1.1
Communications Element Manager
Version 8.2.0
Communications Element Manager
Version 8.2.1
Communications Online Mediation Controller
Version 6.1
Oracle
Communications Session Report Manager
Version 8.0.0
Communications Session Report Manager
Version 8.1.0
Communications Session Report Manager
Version 8.1.1
Communications Session Report Manager
Version 8.2.0
Communications Session Report Manager
Version 8.2.1
Oracle
Communications Session Route Manager
Version 8.0.0
Communications Session Route Manager
Version 8.1.0
Communications Session Route Manager
Version 8.1.1
Communications Session Route Manager
Version 8.2.0
Communications Session Route Manager
Version 8.2.1
Oracle
Communications Unified Inventory Management
Version 7.3
Communications Unified Inventory Management
Version 7.4.0
Endeca Information Discovery Integrator
Version 3.2.0
Enterprise Manager For Fusion Applications
Version 13.3.0.0
Enterprise Manager Ops Center
Version 12.3.3
Financial Services Analytical Applications Infrastructure
From 8.0.2 to 8.0.8
Oracle
Flexcube Private Banking
Version 12.0.1
Flexcube Private Banking
Version 12.0.3
Flexcube Private Banking
Version 12.1.0
Goldengate Application Adapters
Version 12.3.2.1.0
Oracle
Healthcare Master Person Index
Version 3.0
Healthcare Master Person Index
Version 4.0.2
Identity Manager Connector
Version 9.0
Oracle
Insurance Calculation Engine
Version 10.0
Insurance Calculation Engine
Version 10.1
Insurance Calculation Engine
Version 10.2
Insurance Calculation Engine
Version 9.7
Oracle
Insurance Policy Administration J2ee
Version 10.0
Insurance Policy Administration J2ee
Version 10.1
Insurance Policy Administration J2ee
Version 10.2.0
Insurance Policy Administration J2ee
Version 10.2.4
Insurance Policy Administration J2ee
Version 10.2
Insurance Policy Administration J2ee
Version 11.0
Insurance Policy Administration J2ee
Version 11.1.0
Insurance Policy Administration J2ee
Version 11.2.0
Oracle
Insurance Rules Palette
Version 10.0
Insurance Rules Palette
Version 10.1
Insurance Rules Palette
Version 10.2.0
Insurance Rules Palette
Version 10.2.4
Insurance Rules Palette
Version 10.2
Insurance Rules Palette
Version 11.0.2
Insurance Rules Palette
Version 11.0
Insurance Rules Palette
Version 11.1.0
Insurance Rules Palette
Version 11.2.0
Oracle
Mysql Enterprise Monitor
Up to 4.0.12
Mysql Enterprise Monitor
From 8.0.0 to 8.0.20
Primavera Analytics
Version 18.8
Oracle
Primavera Gateway
Version 15.2
Primavera Gateway
Version 16.2
Primavera Gateway
Version 17.12
Primavera Gateway
Version 18.8.0
Oracle
Rapid Planning
Version 12.1
Rapid Planning
Version 12.2
Retail Advanced Inventory Planning
Version 15.0
Oracle
Retail Assortment Planning
Version 15.0
Retail Assortment Planning
Version 16.0
Retail Clearance Optimization Engine
Version 14.0.5
Oracle
Retail Financial Integration
Version 14.0
Retail Financial Integration
Version 14.1
Retail Financial Integration
Version 15.0
Retail Financial Integration
Version 16.0
Oracle
Retail Integration Bus
Version 15.0.3
Retail Integration Bus
Version 15.0
Retail Integration Bus
Version 16.0.3
Retail Integration Bus
Version 16.0
Oracle
Retail Invoice Matching
Version 12.0
Retail Invoice Matching
Version 13.0
Retail Invoice Matching
Version 13.1
Retail Invoice Matching
Version 13.2
Retail Invoice Matching
Version 14.0
Retail Invoice Matching
Version 14.1
Retail Markdown Optimization
Version 13.4.4
Oracle
Retail Order Broker
Version 15.0
Retail Order Broker
Version 16.0
Retail Order Broker
Version 5.1
Retail Order Broker
Version 5.2
Oracle
Retail Predictive Application Server
Version 14.0.3.26
Retail Predictive Application Server
Version 14.0.3
Retail Predictive Application Server
Version 14.1.3.37
Retail Predictive Application Server
Version 14.1.3
Retail Predictive Application Server
Version 15.0.3.100
Retail Predictive Application Server
Version 15.0.3
Retail Predictive Application Server
Version 16.0.3
Retail Predictive Application Server
Version 16.0
Oracle
Retail Service Backbone
Version 15.0
Retail Service Backbone
Version 16.0.1
Retail Service Backbone
Version 16.0
Retail Xstore Point Of Service
Version 7.1
Tape Library Acsls
Version 8.5
Webcenter Sites
Version 12.2.1.3.0
Oracle
Weblogic Server
Version 10.3.6.0.0
Weblogic Server
Version 12.1.3.0.0
Weblogic Server
Version 12.2.1.3.0
Weblogic Server
Version 12.2.1.4.0
Configuration C
1 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 9.0

References (42)

Source: security_alert@emc.com
Third Party AdvisoryVDB EntryURL Repurposed
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Source: security_alert@emc.com
Mailing ListThird Party Advisory
Source: security_alert@emc.com
Vendor Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: security_alert@emc.com
Not ApplicableThird Party Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: security_alert@emc.com
Third Party Advisory
Source: security_alert@emc.com
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB EntryURL Repurposed
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Not ApplicableThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.