GHSA-f26x-pr96-vw86

Suggest an improvement
Source
https://github.com/advisories/GHSA-f26x-pr96-vw86
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-f26x-pr96-vw86/GHSA-f26x-pr96-vw86.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f26x-pr96-vw86
Aliases
Published
2018-10-16T17:43:45Z
Modified
2024-05-15T06:31:22.122564Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Moderate severity vulnerability that affects org.springframework:spring-core
Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Database specific
{
    "nvd_published_at": "2018-06-25T15:29:00Z",
    "cwe_ids": [
        "CWE-829"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:33:24Z"
}
References

Affected packages

Maven / org.springframework:spring-core

Package

Name
org.springframework:spring-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0.RELEASE
Fixed
5.0.7.RELEASE

Affected versions

5.*

5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE

Maven / org.springframework:spring-core

Package

Name
org.springframework:spring-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0.RELEASE
Fixed
4.3.18.RELEASE

Affected versions

4.*

4.3.0.RELEASE
4.3.1.RELEASE
4.3.2.RELEASE
4.3.3.RELEASE
4.3.4.RELEASE
4.3.5.RELEASE
4.3.6.RELEASE
4.3.7.RELEASE
4.3.8.RELEASE
4.3.9.RELEASE
4.3.10.RELEASE
4.3.11.RELEASE
4.3.12.RELEASE
4.3.13.RELEASE
4.3.14.RELEASE
4.3.15.RELEASE
4.3.16.RELEASE
4.3.17.RELEASE