Lucene search

[email protected]NVD:CVE-2018-11039

HistoryJun 25, 2018 - 3:29 p.m.

CVE-2018-11039

2018-06-2515:29:00

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.3%

JSON

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Affected configurations

NVD

Node

vmwarespring_frameworkRange<4.3.18

vmwarespring_frameworkRange5.0.0–5.0.7

Node

oracleagile_plmMatch9.3.3

oracleagile_plmMatch9.3.4

oracleagile_plmMatch9.3.5

oracleagile_plmMatch9.3.6

oracleapplication_testing_suiteMatch12.5.0.3

oracleapplication_testing_suiteMatch13.1.0.1

oracleapplication_testing_suiteMatch13.2.0.1

oracleapplication_testing_suiteMatch13.3.0.1

oraclecommunications_diameter_signaling_routerRange<8.3

oraclecommunications_network_integrityRange7.3.2–7.3.6

oraclecommunications_online_mediation_controllerMatch6.1

oraclecommunications_performance_intelligence_centerRange<10.2.1

oraclecommunications_services_gatekeeperRange<6.1.0.4.0

oraclecommunications_unified_inventory_managementMatch7.3.2

oraclecommunications_unified_inventory_managementMatch7.3.4

oraclecommunications_unified_inventory_managementMatch7.3.5

oraclecommunications_unified_inventory_managementMatch7.4.0

oracleendeca_information_discovery_integratorMatch3.1.0

oracleendeca_information_discovery_integratorMatch3.2.0

oracleenterprise_manager_base_platformMatch12.1.0.5.0

oracleenterprise_manager_base_platformMatch13.2.0.0.0

oracleenterprise_manager_base_platformMatch13.3.0.0.0

oracleenterprise_manager_for_mysql_databaseMatch13.2

oracleenterprise_manager_ops_centerMatch12.3.3

oraclehealth_sciences_information_managerMatch3.0

oraclehealthcare_master_person_indexMatch3.0

oraclehealthcare_master_person_indexMatch4.0

oraclehospitality_guest_accessMatch4.2.0

oraclehospitality_guest_accessMatch4.2.1

oracleinsurance_calculation_engineRange11.0.0–11.3.1

oracleinsurance_calculation_engineMatch10.2

oracleinsurance_rules_paletteMatch10.0

oracleinsurance_rules_paletteMatch10.2

oraclemicros_lucasMatch2.9.5

oraclemysql_enterprise_monitorRange≤3.4.9.4237

oraclemysql_enterprise_monitorRange4.0.0–4.0.6.5281

oraclemysql_enterprise_monitorRange8.0.0–8.0.2.8191

oracleprimavera_p6_enterprise_project_portfolio_managementMatch18.8

oracleretail_advanced_inventory_planningMatch15.0

oracleretail_assortment_planningMatch14.1

oracleretail_assortment_planningMatch15.0

oracleretail_assortment_planningMatch16.0

oracleretail_clearance_optimization_engineMatch14.0.5

oracleretail_customer_insightsMatch15.0

oracleretail_customer_insightsMatch16.0

oracleretail_financial_integrationMatch13.2

oracleretail_financial_integrationMatch14.0

oracleretail_financial_integrationMatch14.1

oracleretail_financial_integrationMatch15.0

oracleretail_financial_integrationMatch16.0

oracleretail_integration_busMatch14.1.2

oracleretail_markdown_optimizationMatch13.4.4

oracleretail_predictive_application_serverMatch14.0.3.26

oracleretail_predictive_application_serverMatch14.1.3.37

oracleretail_predictive_application_serverMatch15.0.3..100

oracleretail_predictive_application_serverMatch16.0

oracleretail_xstore_point_of_serviceMatch7.1

oracleutilities_network_management_systemMatch1.12.0.3

oracleweblogic_serverMatch10.3.6.0.0

oracleweblogic_serverMatch12.1.3.0.0

oracleweblogic_serverMatch12.2.1.3.0

Node

debiandebian_linuxMatch9.0

References

www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

www.securityfocus.com/bid/107984

lists.debian.org/debian-lts-announce/2021/04/msg00022.html

pivotal.io/security/cve-2018-11039

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2021.html

www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.3%

JSON

Related for NVD:CVE-2018-11039

veracode1 osv3 cve1 github1 cvelist1 redhatcve1 debiancve1 prion1 ubuntucve1 nessus4 openvas1 debian1 pentestpartners1 ibm2 oracle7