CVE-2018-11039
- Source
- https://cve.org/CVERecord?id=CVE-2018-11039
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11039.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-11039
- Aliases
- Downstream
- Published
- 2018-06-25T15:29:00.317Z
- Modified
- 2026-04-10T04:04:15.132429Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
- References
-
- http://www.securityfocus.com/bid/107984
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
- https://pivotal.io/security/cve-2018-11039
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Affected packages
Git / github.com/spring-projects/spring-framework
Affected ranges
- Type
- GIT
- Repo
- https://github.com/spring-projects/spring-framework
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "4.3.18" }, { "introduced": "5.0.0" }, { "fixed": "5.0.7" }, { "introduced": "0" }, { "last_affected": "6.1" }, { "introduced": "0" }, { "last_affected": "3.1.0" }, { "introduced": "0" }, { "last_affected": "3.2.0" }, { "introduced": "0" }, { "last_affected": "3.0" }, { "introduced": "0" }, { "last_affected": "3.0" }, { "introduced": "0" }, { "last_affected": "4.0" }, { "introduced": "0" }, { "last_affected": "4.2.0" }, { "introduced": "0" }, { "last_affected": "4.2.1" } ] }
Affected versions
v3.*
v3.0.0.RELEASE
v3.1.0.RELEASE
v3.2.0.M1
v3.2.0.M2
v3.2.0.RC1
v3.2.0.RC2-A
v3.2.0.RELEASE
v4.*
v4.0.0.M1
v4.0.0.M2
v4.0.0.M3
v4.0.0.RC1
v4.0.0.RC2
v4.0.0.RELEASE
v4.2.0.RELEASE
v4.2.1.RELEASE
v5.*
v5.0.5.RELEASE
v6.*
v6.1.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11039.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.5.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.1.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.2.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.3.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.3"
}
]
},
{
"events": [
{
"introduced": "7.3.2"
},
{
"last_affected": "7.3.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.1.0.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.2.0.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.3.0.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.3.3"
}
]
},
{
"events": [
{
"introduced": "11.0.0"
},
{
"last_affected": "11.3.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.4.9.4237"
}
]
},
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.0.6.5281"
}
]
},
{
"events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.0.2.8191"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.8"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.0.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.1.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.4.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.0.3.26"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.1.3.37"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0.3..100"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.12.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.3.6.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.1.3.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
}
]