Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveDellCVE-2018-15756
HistoryOct 18, 2018 - 10:29 p.m.

CVE-2018-15756

2018-10-1822:29:00
dell
web.nvd.nist.gov
143
4
spring framework
cve
2018
15756
denial of service
vulnerability
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Affected configurations

Nvd
Vulners
Node
vmwarespring_frameworkRange4.2.04.3.20
OR
vmwarespring_frameworkRange5.0.05.0.10
OR
vmwarespring_frameworkMatch5.1.0
Node
oracleagile_plmMatch9.3.3
OR
oracleagile_plmMatch9.3.4
OR
oracleagile_plmMatch9.3.5
OR
oracleagile_plmMatch9.3.6
OR
oraclecommunications_brm_-_elastic_charging_engineMatch11.3
OR
oraclecommunications_brm_-_elastic_charging_engineMatch12.0
OR
oraclecommunications_converged_application_server_-_service_controllerMatch6.0
OR
oraclecommunications_converged_application_server_-_service_controllerMatch6.1
OR
oraclecommunications_diameter_signaling_routerMatch8.0.0
OR
oraclecommunications_diameter_signaling_routerMatch8.1
OR
oraclecommunications_diameter_signaling_routerMatch8.2
OR
oraclecommunications_diameter_signaling_routerMatch8.2.1
OR
oraclecommunications_element_managerMatch8.1.1
OR
oraclecommunications_element_managerMatch8.2.0
OR
oraclecommunications_element_managerMatch8.2.1
OR
oraclecommunications_online_mediation_controllerMatch6.1
OR
oraclecommunications_session_report_managerMatch8.0.0
OR
oraclecommunications_session_report_managerMatch8.1.0
OR
oraclecommunications_session_report_managerMatch8.1.1
OR
oraclecommunications_session_report_managerMatch8.2.0
OR
oraclecommunications_session_report_managerMatch8.2.1
OR
oraclecommunications_session_route_managerMatch8.0.0
OR
oraclecommunications_session_route_managerMatch8.1.0
OR
oraclecommunications_session_route_managerMatch8.1.1
OR
oraclecommunications_session_route_managerMatch8.2.0
OR
oraclecommunications_session_route_managerMatch8.2.1
OR
oraclecommunications_unified_inventory_managementMatch7.3
OR
oraclecommunications_unified_inventory_managementMatch7.4.0
OR
oracleendeca_information_discovery_integratorMatch3.2.0
OR
oracleenterprise_manager_for_fusion_applicationsMatch13.3.0.0
OR
oracleenterprise_manager_ops_centerMatch12.3.3
OR
oraclefinancial_services_analytical_applications_infrastructureRange8.0.28.0.8
OR
oracleflexcube_private_bankingMatch12.0.1
OR
oracleflexcube_private_bankingMatch12.0.3
OR
oracleflexcube_private_bankingMatch12.1.0
OR
oraclegoldengate_application_adaptersMatch12.3.2.1.0
OR
oraclehealthcare_master_person_indexMatch3.0
OR
oraclehealthcare_master_person_indexMatch4.0.2
OR
oracleidentity_manager_connectorMatch9.0
OR
oracleinsurance_calculation_engineMatch9.7
OR
oracleinsurance_calculation_engineMatch10.0
OR
oracleinsurance_calculation_engineMatch10.1
OR
oracleinsurance_calculation_engineMatch10.2
OR
oracleinsurance_policy_administration_j2eeMatch10.0
OR
oracleinsurance_policy_administration_j2eeMatch10.1
OR
oracleinsurance_policy_administration_j2eeMatch10.2
OR
oracleinsurance_policy_administration_j2eeMatch10.2.0
OR
oracleinsurance_policy_administration_j2eeMatch10.2.4
OR
oracleinsurance_policy_administration_j2eeMatch11.0
OR
oracleinsurance_policy_administration_j2eeMatch11.1.0
OR
oracleinsurance_policy_administration_j2eeMatch11.2.0
OR
oracleinsurance_rules_paletteMatch10.0
OR
oracleinsurance_rules_paletteMatch10.1
OR
oracleinsurance_rules_paletteMatch10.2
OR
oracleinsurance_rules_paletteMatch10.2.0
OR
oracleinsurance_rules_paletteMatch10.2.4
OR
oracleinsurance_rules_paletteMatch11.0
OR
oracleinsurance_rules_paletteMatch11.0.2
OR
oracleinsurance_rules_paletteMatch11.1.0
OR
oracleinsurance_rules_paletteMatch11.2.0
OR
oraclemysql_enterprise_monitorRange4.0.12
OR
oraclemysql_enterprise_monitorRange8.0.08.0.20
OR
oracleprimavera_analyticsMatch18.8
OR
oracleprimavera_gatewayMatch15.2
OR
oracleprimavera_gatewayMatch16.2
OR
oracleprimavera_gatewayMatch17.12
OR
oracleprimavera_gatewayMatch18.8.0
OR
oraclerapid_planningMatch12.1
OR
oraclerapid_planningMatch12.2
OR
oracleretail_advanced_inventory_planningMatch15.0
OR
oracleretail_assortment_planningMatch15.0
OR
oracleretail_assortment_planningMatch16.0
OR
oracleretail_clearance_optimization_engineMatch14.0.5
OR
oracleretail_financial_integrationMatch14.0
OR
oracleretail_financial_integrationMatch14.1
OR
oracleretail_financial_integrationMatch15.0
OR
oracleretail_financial_integrationMatch16.0
OR
oracleretail_integration_busMatch15.0
OR
oracleretail_integration_busMatch15.0.3
OR
oracleretail_integration_busMatch16.0
OR
oracleretail_integration_busMatch16.0.3
OR
oracleretail_invoice_matchingMatch12.0
OR
oracleretail_invoice_matchingMatch13.0
OR
oracleretail_invoice_matchingMatch13.1
OR
oracleretail_invoice_matchingMatch13.2
OR
oracleretail_invoice_matchingMatch14.0
OR
oracleretail_invoice_matchingMatch14.1
OR
oracleretail_markdown_optimizationMatch13.4.4
OR
oracleretail_order_brokerMatch5.1
OR
oracleretail_order_brokerMatch5.2
OR
oracleretail_order_brokerMatch15.0
OR
oracleretail_order_brokerMatch16.0
OR
oracleretail_predictive_application_serverMatch14.0.3
OR
oracleretail_predictive_application_serverMatch14.0.3.26
OR
oracleretail_predictive_application_serverMatch14.1.3
OR
oracleretail_predictive_application_serverMatch14.1.3.37
OR
oracleretail_predictive_application_serverMatch15.0.3
OR
oracleretail_predictive_application_serverMatch15.0.3.100
OR
oracleretail_predictive_application_serverMatch16.0
OR
oracleretail_predictive_application_serverMatch16.0.3
OR
oracleretail_service_backboneMatch15.0
OR
oracleretail_service_backboneMatch16.0
OR
oracleretail_service_backboneMatch16.0.1
OR
oracleretail_xstore_point_of_serviceMatch7.1
OR
oracletape_library_acslsMatch8.5
OR
oraclewebcenter_sitesMatch12.2.1.3.0
OR
oracleweblogic_serverMatch10.3.6.0.0
OR
oracleweblogic_serverMatch12.1.3.0.0
OR
oracleweblogic_serverMatch12.2.1.3.0
OR
oracleweblogic_serverMatch12.2.1.4.0
Node
debiandebian_linuxMatch9.0
VendorProductVersionCPE
vmwarespring_framework*cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
vmwarespring_framework5.1.0cpe:2.3:a:vmware:spring_framework:5.1.0:*:*:*:*:*:*:*
oracleagile_plm9.3.3cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
oracleagile_plm9.3.4cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*
oracleagile_plm9.3.5cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
oracleagile_plm9.3.6cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
oraclecommunications_brm_-_elastic_charging_engine11.3cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
oraclecommunications_brm_-_elastic_charging_engine12.0cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
oraclecommunications_converged_application_server_-_service_controller6.0cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.0:*:*:*:*:*:*:*
oraclecommunications_converged_application_server_-_service_controller6.1cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.1:*:*:*:*:*:*:*
Rows per page:
1-10 of 1121

CNA Affected

[
  {
    "product": "Spring framework",
    "vendor": "Pivotal",
    "versions": [
      {
        "status": "affected",
        "version": "5.1"
      },
      {
        "lessThanOrEqual": "5.0.9",
        "status": "affected",
        "version": "5.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.3.19",
        "status": "affected",
        "version": "4.3",
        "versionType": "custom"
      }
    ]
  }
]

References

Social References

More

Related

symantec 1
ibm 13
osv 3
ubuntucve 1
nessus 9
nvd 1
github 1
debiancve 1
cvelist 1
prion 1
veracode 1
redhatcve 1
redhat 2
openvas 1
debian 1
atlassian 1
oracle 8
symantec
symantec
Spring Framework CVE-2018-15756 Denial-Of-Service Vulnerability
2018-10-16 00:00:00
ibm
ibm
Security Bulletin: Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Explorer
2019-02-22 05:15:02
Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2018-15756)
2020-05-22 17:46:55
Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-15756)
2019-06-28 15:35:01
osv
osv
Denial of Service in Spring Framework
2020-06-15 19:34:50
CVE-2018-15756
2018-10-18 22:29:00
libspring-java - security update
2021-04-23 00:00:00
ubuntucve
ubuntucve
CVE-2018-15756
2018-10-18 00:00:00
nessus
nessus
Oracle GoldenGate for Big Data 12.3.1.1.x < 12.3.1.1.6 / 12.3.2.1.x < 12.3.2.1.5 Spring Framework DoS (Oct 2019 CPU)
2019-10-16 00:00:00
MySQL Enterprise Monitor 4.x < 4.0.10 / 8.x < 8.0.15 DoS (Jul 2019 CPU)
2020-07-24 00:00:00
Oracle Identity Manager Connector Multiple Vulnerabilities (April 2020 CPU)
2020-05-01 00:00:00
nvd
nvd
CVE-2018-15756
2018-10-18 22:29:00
github
github
Denial of Service in Spring Framework
2020-06-15 19:34:50
debiancve
debiancve
CVE-2018-15756
2018-10-18 22:29:00
cvelist
cvelist
CVE-2018-15756 DoS Attack via Range Requests
2018-10-18 22:00:00
prion
prion
Denial of service
2018-10-18 22:29:00
veracode
veracode
Denial Of Service (DoS)
2018-10-19 02:43:50
redhatcve
redhatcve
CVE-2018-15756
2018-10-25 12:49:01
redhat
redhat
(RHSA-2020:3133) Important: Red Hat AMQ Broker 7.4.4 release and security update
2020-07-23 15:06:14
(RHSA-2020:0983) Important: Red Hat Fuse 7.6.0 security update
2020-03-26 15:40:22
openvas
openvas
Debian: Security Advisory (DLA-2635-1)
2021-04-24 00:00:00
debian
debian
[SECURITY] [DLA 2635-1] libspring-java security update
2021-04-23 18:29:29
atlassian
atlassian
Insecure version of Spring Web MVC used in Confluence Analytics
2020-02-19 22:31:10
oracle
oracle
Oracle Critical Patch Update Advisory - October 2019
2020-01-22 00:00:00
Oracle Critical Patch Update Advisory - April 2019
2019-04-16 00:00:00
Oracle Critical Patch Update Advisory - January 2021
2021-01-19 00:00:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.004

Percentile

75.2%

JSON
Related for CVE-2018-15756
symantec1ibm13osv3ubuntucve1nessus9nvd1github1debiancve1cvelist1prion1veracode1redhatcve1redhat2openvas1debian1atlassian1oracle8