CVE-2018-1258
HIGHCVSS 8.8/10EPSS 2.43%
Last modified
CVE-2018-1258 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.. EPSS estimates a 2.43% chance of exploitation in the next 30 days.
Description
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Spring Security | All versions |
| Vmware | Spring Framework | 5.0.5 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Agile Plm | 9.3.4 |
| Oracle | Agile Plm | 9.3.5 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Testing Suite | 10.1 |
| Oracle | Application Testing Suite | 12.5.0.3 |
| Oracle | Application Testing Suite | 13.1.0.1 |
| Oracle | Application Testing Suite | 13.2.0.1 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Big Data Discovery | 1.6.0 |
| Oracle | Communications Converged Application Server | < 7.0.0.1 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Network Integrity | >= 7.3.2, <= 7.3.6 |
| Oracle | Communications Performance Intelligence Center | < 10.2.1 |
| Oracle | Communications Services Gatekeeper | < 6.1.0.4.0 |
| Oracle | Endeca Information Discovery Integrator | 3.1.0 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Manager For Mysql Database | 13.2 |
| Oracle | Enterprise Manager Ops Center | 12.2.2 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Enterprise Repository | 12.1.3.0.0 |
| Oracle | Goldengate For Big Data | 12.2.0.1 |
| Oracle | Goldengate For Big Data | 12.3.1.1 |
| Oracle | Goldengate For Big Data | 12.3.2.1 |
| Oracle | Health Sciences Information Manager | 3.0 |
| Oracle | Healthcare Master Person Index | 3.0 |
| Oracle | Healthcare Master Person Index | 4.0 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Hospitality Guest Access | 4.2.1 |
| Oracle | Insurance Calculation Engine | 10.1.1 |
| Oracle | Insurance Calculation Engine | 10.2 |
| Oracle | Insurance Calculation Engine | 10.2.1 |
| Oracle | Insurance Policy Administration | 10.0 |
| Oracle | Insurance Policy Administration | 10.1 |
| Oracle | Insurance Policy Administration | 10.2 |
| Oracle | Insurance Policy Administration | 11.0 |
| Oracle | Insurance Rules Palette | 10.0 |
| Oracle | Insurance Rules Palette | 10.1 |
| Oracle | Insurance Rules Palette | 10.2 |
| Oracle | Insurance Rules Palette | 11.0 |
| Oracle | Insurance Rules Palette | 11.1 |
| Oracle | Micros Lucas | 2.9.5 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.2.8191 |
| Oracle | Peoplesoft Enterprise Fin Install | 9.2 |
| Oracle | Retail Assortment Planning | 14.1 |
| Oracle | Retail Assortment Planning | 15.0 |
| Oracle | Retail Assortment Planning | 16.0 |
Showing 50 of 81 affected configurations. See NVD for the full list.
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/104222Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1041888Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1041896Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2019:2413Patch, Third Party Advisory
- https://pivotal.io/security/cve-2018-1258Vendor Advisory
- https://security.netapp.com/advisory/ntap-20181018-0002/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/104222Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1041888Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1041896Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2019:2413Patch, Third Party Advisory
- https://pivotal.io/security/cve-2018-1258Vendor Advisory
- https://security.netapp.com/advisory/ntap-20181018-0002/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1258?
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
How severe is CVE-2018-1258?
CVE-2018-1258 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 2.43% probability of exploitation in the next 30 days.
How do I fix CVE-2018-1258?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2018-1258?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST