CVE-2018-11039
MEDIUMCVSS 5.9/10EPSS 2.78%
Last modified
CVE-2018-11039 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.. EPSS estimates a 2.78% chance of exploitation in the next 30 days.
Description
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | < 4.3.18 |
| Vmware | Spring Framework | >= 5.0.0, < 5.0.7 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Agile Plm | 9.3.4 |
| Oracle | Agile Plm | 9.3.5 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Testing Suite | 12.5.0.3 |
| Oracle | Application Testing Suite | 13.1.0.1 |
| Oracle | Application Testing Suite | 13.2.0.1 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Network Integrity | >= 7.3.2, <= 7.3.6 |
| Oracle | Communications Online Mediation Controller | 6.1 |
| Oracle | Communications Performance Intelligence Center | < 10.2.1 |
| Oracle | Communications Services Gatekeeper | < 6.1.0.4.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Communications Unified Inventory Management | 7.3.5 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Endeca Information Discovery Integrator | 3.1.0 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Manager Base Platform | 12.1.0.5.0 |
| Oracle | Enterprise Manager Base Platform | 13.2.0.0.0 |
| Oracle | Enterprise Manager Base Platform | 13.3.0.0.0 |
| Oracle | Enterprise Manager For Mysql Database | 13.2 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
| Oracle | Health Sciences Information Manager | 3.0 |
| Oracle | Healthcare Master Person Index | 3.0 |
| Oracle | Healthcare Master Person Index | 4.0 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Hospitality Guest Access | 4.2.1 |
| Oracle | Insurance Calculation Engine | >= 11.0.0, <= 11.3.1 |
| Oracle | Insurance Calculation Engine | 10.2 |
| Oracle | Insurance Rules Palette | 10.0 |
| Oracle | Insurance Rules Palette | 10.2 |
| Oracle | Micros Lucas | 2.9.5 |
| Oracle | Mysql Enterprise Monitor | <= 3.4.9.4237 |
| Oracle | Mysql Enterprise Monitor | >= 4.0.0, <= 4.0.6.5281 |
| Oracle | Mysql Enterprise Monitor | >= 8.0.0, <= 8.0.2.8191 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | 18.8 |
| Oracle | Retail Advanced Inventory Planning | 15.0 |
| Oracle | Retail Assortment Planning | 14.1 |
| Oracle | Retail Assortment Planning | 15.0 |
| Oracle | Retail Assortment Planning | 16.0 |
| Oracle | Retail Clearance Optimization Engine | 14.0.5 |
| Oracle | Retail Customer Insights | 15.0 |
| Oracle | Retail Customer Insights | 16.0 |
| Oracle | Retail Financial Integration | 13.2 |
| Oracle | Retail Financial Integration | 14.0 |
| Oracle | Retail Financial Integration | 14.1 |
Showing 50 of 64 affected configurations. See NVD for the full list.
References
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/107984Broken Link, Third Party Advisory, VDB Entry
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing List, Third Party Advisory
- https://pivotal.io/security/cve-2018-11039Mitigation, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/107984Broken Link, Third Party Advisory, VDB Entry
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing List, Third Party Advisory
- https://pivotal.io/security/cve-2018-11039Mitigation, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-11039?
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
How severe is CVE-2018-11039?
CVE-2018-11039 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 2.78% probability of exploitation in the next 30 days.
How do I fix CVE-2018-11039?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2018-11039?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST