Security Alert
Spring Vulnerabilities
Original date: 19.06.2018
Overall risk classification: MEDIUM
Overview
Pivotal has published two vulnerabilities of the Spring Framework. The first may inadvertently enable cross-domain requests via JSONP (JSON with padding) even though this technique should not be enabled by default. Enabling JSONP allows cross-domain requests from untrusted sources, which may expose sensitive data to 3rd party browser scripts [1].
The second vulnerability affects the HiddenHttpMethodFilter in Spring MVC (enabled by default) which may be used to change the HTTP request method to any HTTP method. If the server handles TRACE requests and the application is already susceptible to XSS, an attacker may use this vulnerability for cross-site tracing attacks [2].
Systems Affected
Spring Framework 4.1 – 4.3.17, 5.0 – 5.0.6 [1, 2].
Threat
Risk: LOW / MEDIUM
Enabling JSONP allows cross-domain requests from untrusted sources, which may expose sensitive data to 3rd party browser scripts. Allowing cross-site tracing may reveal internal diagnostics information about the server.
Exploitability: MEDIUM
For the JSONP problem, the following prerequisites must be met:
MappingJackson2JsonView is explicitly configured
The jsonpParameterNames property of the MappingJackson2JsonView is set to an empty set.
The application exposes sensitive user information over endpoints that can render content with JSONP.
The HTTP method problem can be exploited if the HiddenHttpMethodFilter is used (enabled by default in Spring Boot) and the server handles TRACE requests.
Priority (for affected, internet-exposed systems): MEDIUM
Priority (for internal systems): LOW
Mitigation
Update to the latest versions of the Spring Framework (5.0.7 or 4.3.18) [1, 2].
Generally, it is strongly recommended to use CORS instead of JSONP for cross-domain requests.
Author
Björn Kirschner
References
[1] https://pivotal.io//security/cve-2018-11040
[2] https://pivotal.io/security/cve-2018-11039
