{"id":14318,"date":"2018-06-19T10:53:52","date_gmt":"2018-06-19T08:53:52","guid":{"rendered":"\/?p=14318"},"modified":"2019-03-12T04:02:41","modified_gmt":"2019-03-12T03:02:41","slug":"spring-vulnerabilities","status":"publish","type":"post","link":"\/de\/security-alert\/spring-vulnerabilities\/","title":{"rendered":"Spring Vulnerabilities"},"content":{"rendered":"<p>Original date: 19.06.2018<br \/>\nOverall risk classification: <span class=\"badge badge-warning\">MEDIUM<\/span><\/p>\n<h3>Overview<\/h3>\n<p>Pivotal has published two vulnerabilities of the Spring Framework. The first may inadvertently enable cross-domain requests via JSONP (JSON with padding) even though this technique should not be enabled by default. Enabling JSONP allows cross-domain requests from untrusted sources, which may expose sensitive data to 3rd party browser scripts [1].<br \/>\nThe second vulnerability affects the HiddenHttpMethodFilter in Spring MVC (enabled by default) which may be used to change the HTTP request method to any HTTP method. If the server handles TRACE requests and the application is already susceptible to XSS, an attacker may use this vulnerability for cross-site tracing attacks [2].<\/p>\n<h3>Systems Affected<\/h3>\n<p>Spring Framework 4.1 \u2013 4.3.17, 5.0 \u2013 5.0.6 [1, 2].<\/p>\n<h3>Threat<\/h3>\n<p><strong>Risk<\/strong>: <span class=\"badge badge-low\">LOW<\/span> \/ <span class=\"badge badge-warning\">MEDIUM<\/span><br \/>\nEnabling JSONP allows cross-domain requests from untrusted sources, which may expose sensitive data to 3rd party browser scripts. Allowing cross-site tracing may reveal internal diagnostics information about the server.<br \/>\n<strong>Exploitability<\/strong>: <span class=\"badge badge-warning\">MEDIUM<\/span><br \/>\nFor the JSONP problem, the following prerequisites must be met:<br \/>\nMappingJackson2JsonView is explicitly configured<br \/>\nThe jsonpParameterNames property of the MappingJackson2JsonView is set to an empty set.<br \/>\nThe application exposes sensitive user information over endpoints that can render content with JSONP.<br \/>\nThe HTTP method problem can be exploited if the HiddenHttpMethodFilter is used (enabled by default in Spring Boot) and the server handles TRACE requests.<br \/>\n<strong>Priority<\/strong> (for affected, internet-exposed systems): <span class=\"badge badge-warning\">MEDIUM<\/span><br \/>\n<strong>Priority<\/strong> (for internal systems): <span class=\"badge badge-low\">LOW<\/span><\/p>\n<h3>Mitigation<\/h3>\n<p>Update to the latest versions of the Spring Framework (5.0.7 or 4.3.18) [1, 2].<br \/>\nGenerally, it is strongly recommended to use CORS instead of JSONP for cross-domain requests. <\/p>\n<h3>Author<\/h3>\n<p>Bj\u00f6rn Kirschner<\/p>\n<h3>References<\/h3>\n<p>[1] https:\/\/pivotal.io\/\/security\/cve-2018-11040<br \/>\n[2] https:\/\/pivotal.io\/security\/cve-2018-11039<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pivotal has published two vulnerabilities of the Spring Framework. The first may inadvertently enable cross-domain requests via JSONP. The second vulnerability affects the HiddenHttpMethodFilter in Spring MVC.<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Spring Vulnerabilities - sectest.team<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"\/security-alert\/spring-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spring Vulnerabilities\" \/>\n<meta property=\"og:description\" content=\"Pivotal has published two vulnerabilities of the Spring Framework. The first may inadvertently enable cross-domain requests via JSONP. The second vulnerability affects the HiddenHttpMethodFilter in Spring MVC.\" \/>\n<meta property=\"og:url\" content=\"\/security-alert\/spring-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"sectest.team\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-19T08:53:52+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-03-12T03:02:41+00:00\" \/>\n<meta name=\"author\" content=\"Tuyen Nguyen\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tuyen Nguyen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"1\u00a0Minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"\/security-alert\/spring-vulnerabilities\/\",\"url\":\"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/\",\"name\":\"[:en]Spring Vulnerabilities[:] - sectest.team\",\"isPartOf\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#website\"},\"datePublished\":\"2018-06-19T08:53:52+00:00\",\"dateModified\":\"2019-03-12T03:02:41+00:00\",\"author\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\"},\"breadcrumb\":{\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Spring Vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sectest.hostpress.me\/#website\",\"url\":\"https:\/\/sectest.hostpress.me\/\",\"name\":\"sectest.team\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sectest.hostpress.me\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"de-DE\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\",\"name\":\"Tuyen Nguyen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"caption\":\"Tuyen Nguyen\"},\"url\":\"\/de\/security-alert\/author\/tutnguyen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spring Vulnerabilities - sectest.team","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/","og_locale":"de_DE","og_type":"article","og_title":"[:en]Spring Vulnerabilities[:] - sectest.team","og_description":"[:en]Pivotal has published two vulnerabilities of the Spring Framework. The first may inadvertently enable cross-domain requests via JSONP. The second vulnerability affects the HiddenHttpMethodFilter in Spring MVC.[:]","og_url":"\/security-alert\/spring-vulnerabilities\/","og_site_name":"sectest.team","article_published_time":"2018-06-19T08:53:52+00:00","article_modified_time":"2019-03-12T03:02:41+00:00","author":"Tuyen Nguyen","twitter_misc":{"Verfasst von":"Tuyen Nguyen","Gesch\u00e4tzte Lesezeit":"1\u00a0Minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"\/security-alert\/spring-vulnerabilities\/","url":"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/","name":"[:en]Spring Vulnerabilities[:] - sectest.team","isPartOf":{"@id":"https:\/\/sectest.hostpress.me\/#website"},"datePublished":"2018-06-19T08:53:52+00:00","dateModified":"2019-03-12T03:02:41+00:00","author":{"@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28"},"breadcrumb":{"@id":"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/#breadcrumb"},"inLanguage":"de-DE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sectest.hostpress.me\/security-alert\/spring-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"\/de\/"},{"@type":"ListItem","position":2,"name":"Spring Vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/sectest.hostpress.me\/#website","url":"https:\/\/sectest.hostpress.me\/","name":"sectest.team","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sectest.hostpress.me\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"},{"@type":"Person","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28","name":"Tuyen Nguyen","image":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","caption":"Tuyen Nguyen"},"url":"\/de\/security-alert\/author\/tutnguyen\/"}]}},"_links":{"self":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14318"}],"collection":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/comments?post=14318"}],"version-history":[{"count":3,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14318\/revisions"}],"predecessor-version":[{"id":14345,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14318\/revisions\/14345"}],"wp:attachment":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/media?parent=14318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/categories?post=14318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/tags?post=14318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}