GHSA-p5hg-3xm3-gcjg

Source

https://github.com/advisories/GHSA-p5hg-3xm3-gcjg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-p5hg-3xm3-gcjg/GHSA-p5hg-3xm3-gcjg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p5hg-3xm3-gcjg

Aliases

CVE-2018-1270

Published

2018-10-17T20:05:59Z

Modified

2024-02-17T05:29:04.185282Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Spring Framework allows applications to expose STOMP over WebSocket endpoints

Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Database specific

{
    "nvd_published_at": "2018-04-06T13:29:00Z",
    "cwe_ids": [
        "CWE-358",
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:59Z"
}

References

Affected packages

Maven / org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.5

Affected versions

5.*

5.0.0.RELEASE

5.0.1.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.0.4.RELEASE

Maven / org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.16

Affected versions

1.*

1.0-rc1

1.0

1.0.1

1.1-rc1

1.1-rc2

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2-rc1

1.2-rc2

1.2

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

2.*

2.0-m1

2.0-m2

2.0-m3

2.0-m4

2.0-m5

2.0-rc1

2.0-rc2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.5

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.6.SEC01

2.5.6.SEC02

2.5.6.SEC03

3.*

3.0.0.RELEASE

3.0.1.RELEASE

3.0.2.RELEASE

3.0.3.RELEASE

3.0.4.RELEASE

3.0.5.RELEASE

3.0.6.RELEASE

3.0.7.RELEASE

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

3.1.4.RELEASE

3.2.0.RELEASE

3.2.1.RELEASE

3.2.2.RELEASE

3.2.3.RELEASE

3.2.4.RELEASE

3.2.5.RELEASE

3.2.6.RELEASE

3.2.7.RELEASE

3.2.8.RELEASE

3.2.9.RELEASE

3.2.10.RELEASE

3.2.11.RELEASE

3.2.12.RELEASE

3.2.13.RELEASE

3.2.14.RELEASE

3.2.15.RELEASE

3.2.16.RELEASE

3.2.17.RELEASE

3.2.18.RELEASE

4.*

4.0.0.RELEASE

4.0.1.RELEASE

4.0.2.RELEASE

4.0.3.RELEASE

4.0.4.RELEASE

4.0.5.RELEASE

4.0.6.RELEASE

4.0.7.RELEASE

4.0.8.RELEASE

4.0.9.RELEASE

4.1.0.RELEASE

4.1.1.RELEASE

4.1.2.RELEASE

4.1.3.RELEASE

4.1.4.RELEASE

4.1.5.RELEASE

4.1.6.RELEASE

4.1.7.RELEASE

4.1.8.RELEASE

4.1.9.RELEASE

4.2.0.RELEASE

4.2.1.RELEASE

4.2.2.RELEASE

4.2.3.RELEASE

4.2.4.RELEASE

4.2.5.RELEASE

4.2.6.RELEASE

4.2.7.RELEASE

4.2.8.RELEASE

4.2.9.RELEASE

4.3.0.RELEASE

4.3.1.RELEASE

4.3.2.RELEASE

4.3.3.RELEASE

4.3.4.RELEASE

4.3.5.RELEASE

4.3.6.RELEASE

4.3.7.RELEASE

4.3.8.RELEASE

4.3.9.RELEASE

4.3.10.RELEASE

4.3.11.RELEASE

4.3.12.RELEASE

4.3.13.RELEASE

4.3.14.RELEASE

4.3.15.RELEASE