CVE-2018-11040

Name: CVE-2018-11040
Creator: NVD / NIST
Published: 2018-06-25T15:29:00.363+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 3.24%

Last modified Jun 17, 2026

CVE-2018-11040 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.. EPSS estimates a 3.24% chance of exploitation in the next 30 days.

Description

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

3.24%

86.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-829

Affected Software

Vendor	Product	Versions
Vmware	Spring Framework	< 4.3.18
Vmware	Spring Framework	>= 5.0.0, < 5.0.7
Oracle	Agile Product Lifecycle Management	9.3.3
Oracle	Agile Product Lifecycle Management	9.3.4
Oracle	Agile Product Lifecycle Management	9.3.5
Oracle	Application Testing Suite	12.5.0.3
Oracle	Application Testing Suite	13.1.0.1
Oracle	Application Testing Suite	13.2.0.1
Oracle	Application Testing Suite	13.3.0.1
Oracle	Communications Network Integrity	>= 7.3.2, <= 7.3.6
Oracle	Communications Online Mediation Controller	6.1
Oracle	Communications Services Gatekeeper	< 6.1.0.4.0
Oracle	Communications Unified Inventory Management	7.3.2
Oracle	Communications Unified Inventory Management	7.3.4
Oracle	Communications Unified Inventory Management	7.3.5
Oracle	Communications Unified Inventory Management	7.4.0
Oracle	Endeca Information Discovery Integrator	3.1.0
Oracle	Endeca Information Discovery Integrator	3.2.0
Oracle	Enterprise Manager	13.2
Oracle	Enterprise Manager Ops Center	12.3.3
Oracle	Flexcube Private Banking	2.0.0.0
Oracle	Flexcube Private Banking	2.2.0.1
Oracle	Flexcube Private Banking	12.0.1.0
Oracle	Flexcube Private Banking	12.0.3.0
Oracle	Flexcube Private Banking	12.1.0.0
Oracle	Healthcare Master Person Index	3.0
Oracle	Healthcare Master Person Index	4.0
Oracle	Hospitality Guest Access	4.2.0
Oracle	Hospitality Guest Access	4.2.1
Oracle	Insurance Calculation Engine	>= 11.0.0, <= 11.3.1
Oracle	Insurance Rules Palette	10.0
Oracle	Insurance Rules Palette	10.2
Oracle	Micros Lucas	2.9.5
Oracle	Mysql Enterprise Monitor	<= 3.4.9.4237
Oracle	Mysql Enterprise Monitor	>= 3.4.10, <= 4.0.6.5281
Oracle	Mysql Enterprise Monitor	>= 4.0.7, <= 8.0.2.8191
Oracle	Product Lifecycle Management	9.3.6
Oracle	Retail Advanced Inventory Planning	15.0
Oracle	Retail Clearance Optimization Engine	14.0.5
Oracle	Retail Customer Insights	15.0
Oracle	Retail Customer Insights	16.0
Oracle	Retail Markdown Optimization	13.4.4
Oracle	Retail Predictive Application Server	14.0.3.26
Oracle	Retail Predictive Application Server	14.1.3.37
Oracle	Retail Predictive Application Server	15.0.3.100
Oracle	Retail Predictive Application Server	16.0
Oracle	Retail Service Backbone	16.0.1
Oracle	Retail Xstore Point Of Service	7.1
Oracle	Utilities Network Management System	1.12.0.3
Oracle	Weblogic Server	12.2.1.3.0

Showing 50 of 51 affected configurations. See NVD for the full list.

References

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing List, Third Party Advisory
https://pivotal.io/security/cve-2018-11040Mitigation, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing List, Third Party Advisory
https://pivotal.io/security/cve-2018-11040Mitigation, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory

Timeline

Published: Jun 25, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-11040?

How severe is CVE-2018-11040?

CVE-2018-11040 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 3.24% probability of exploitation in the next 30 days.

How do I fix CVE-2018-11040?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-11040?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST