Lucene search

[email protected]NVD:CVE-2018-11040

HistoryJun 25, 2018 - 3:29 p.m.

CVE-2018-11040

2018-06-2515:29:00

CWE-829

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.3%

JSON

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the “jsonp” and “callback” JSONP parameters, enabling cross-domain requests.

Affected configurations

NVD

Node

vmwarespring_frameworkRange<4.3.18

vmwarespring_frameworkRange5.0.0–5.0.7

Node

oracleagile_product_lifecycle_managementMatch9.3.3

oracleagile_product_lifecycle_managementMatch9.3.4

oracleagile_product_lifecycle_managementMatch9.3.5

oracleapplication_testing_suiteMatch12.5.0.3

oracleapplication_testing_suiteMatch13.1.0.1

oracleapplication_testing_suiteMatch13.2.0.1

oracleapplication_testing_suiteMatch13.3.0.1

oraclecommunications_network_integrityRange7.3.2–7.3.6

oraclecommunications_online_mediation_controllerMatch6.1

oraclecommunications_services_gatekeeperRange<6.1.0.4.0

oraclecommunications_unified_inventory_managementMatch7.3.2

oraclecommunications_unified_inventory_managementMatch7.3.4

oraclecommunications_unified_inventory_managementMatch7.3.5

oraclecommunications_unified_inventory_managementMatch7.4.0

oracleendeca_information_discovery_integratorMatch3.1.0

oracleendeca_information_discovery_integratorMatch3.2.0

oracleenterprise_managerMatch13.2mysql

oracleenterprise_manager_ops_centerMatch12.3.3

oracleflexcube_private_bankingMatch2.0.0.0

oracleflexcube_private_bankingMatch2.2.0.1

oracleflexcube_private_bankingMatch12.0.1.0

oracleflexcube_private_bankingMatch12.0.3.0

oracleflexcube_private_bankingMatch12.1.0.0

oraclehealthcare_master_person_indexMatch3.0

oraclehealthcare_master_person_indexMatch4.0

oraclehospitality_guest_accessMatch4.2.0

oraclehospitality_guest_accessMatch4.2.1

oracleinsurance_calculation_engineRange11.0.0–11.3.1

oracleinsurance_rules_paletteMatch10.0

oracleinsurance_rules_paletteMatch10.2

oraclemicros_lucasMatch2.9.5

oraclemysql_enterprise_monitorRange≤3.4.9.4237

oraclemysql_enterprise_monitorRange3.4.10–4.0.6.5281

oraclemysql_enterprise_monitorRange4.0.7–8.0.2.8191

oracleproduct_lifecycle_managementMatch9.3.6

oracleretail_advanced_inventory_planningMatch15.0

oracleretail_clearance_optimization_engineMatch14.0.5

oracleretail_customer_insightsMatch15.0

oracleretail_customer_insightsMatch16.0

oracleretail_markdown_optimizationMatch13.4.4

oracleretail_predictive_application_serverMatch14.0.3.26

oracleretail_predictive_application_serverMatch14.1.3.37

oracleretail_predictive_application_serverMatch15.0.3.100

oracleretail_predictive_application_serverMatch16.0

oracleretail_service_backboneMatch16.0.1

oracleretail_xstore_point_of_serviceMatch7.1

oracleutilities_network_management_systemMatch1.12.0.3

oracleweblogic_serverMatch12.2.1.3.0

Node

debiandebian_linuxMatch9.0

References

www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

lists.debian.org/debian-lts-announce/2021/04/msg00022.html

pivotal.io/security/cve-2018-11040

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2021.html

www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.3%

JSON

Related for NVD:CVE-2018-11040

cve1 debiancve1 ubuntucve1 osv3 veracode1 cvelist1 github1 prion1 redhatcve1 openvas1 nessus3 debian1 ibm2 oracle7