Lucene search

[email protected]CVE-2018-1258

HistoryMay 11, 2018 - 8:29 p.m.

CVE-2018-1258

2018-05-1120:29:00

CWE-863

[email protected]

web.nvd.nist.gov

154

cve-2018-1258

spring framework

authorization bypass

method security

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

78.8%

JSON

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

CPENameOperatorVersion
oracle:weblogic_serveroracle weblogic servereq12.2.1.2
oracle:enterprise_manager_ops_centeroracle enterprise manager ops centereq12.2.2
oracle:weblogic_serveroracle weblogic servereq12.1.3.0
oracle:weblogic_serveroracle weblogic servereq10.3.6.0
oracle:enterprise_repositoryoracle enterprise repositoryeq12.1.3.0.0
oracle:enterprise_repositoryoracle enterprise repositoryeq11.1.1.7.0
oracle:application_testing_suiteoracle application testing suiteeq12.5.0.3
oracle:retail_back_officeoracle retail back officeeq14.1
oracle:retail_back_officeoracle retail back officeeq14.0
oracle:hospitality_guest_accessoracle hospitality guest accesseq4.2.0

CPE	Name	Operator	Version
oracle:weblogic_server	oracle weblogic server	eq	12.2.1.2
oracle:enterprise_manager_ops_center	oracle enterprise manager ops center	eq	12.2.2
oracle:weblogic_server	oracle weblogic server	eq	12.1.3.0
oracle:weblogic_server	oracle weblogic server	eq	10.3.6.0
oracle:enterprise_repository	oracle enterprise repository	eq	12.1.3.0.0
oracle:enterprise_repository	oracle enterprise repository	eq	11.1.1.7.0
oracle:application_testing_suite	oracle application testing suite	eq	12.5.0.3
oracle:retail_back_office	oracle retail back office	eq	14.1
oracle:retail_back_office	oracle retail back office	eq	14.0
oracle:hospitality_guest_access	oracle hospitality guest access	eq	4.2.0