1. Home
  2. Vulnerabilities
  3. CVE-2018-1272

CVE-2018-1272

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 6 (Medium)
60% Progress
EPSS 0.19 % (56th)
0.19% Progress
Affected Products 25
Advisories 1
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software OVAL Graph Web & Social Timeline

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Weaknesses
CWE-NVD-noinfo
CVE Status
PUBLISHED
CNA
Dell
Published Date
2018-04-06 13:29:00
(6 years ago)
Updated Date
2022-06-23 16:33:56
(2 years ago)

Affected Products

Oracle

Vmware

Configuration #1

    CPE23 From Up To
  Vmware Spring Framework from 4.3.0 version and prior 4.3.15 version cpe:2.3:a:vmware:spring_framework >= 4.3.0 < 4.3.15
  Vmware Spring Framework from 5.0 version and prior 5.0.5 version cpe:2.3:a:vmware:spring_framework >= 5.0 < 5.0.5

Configuration #2

    CPE23 From Up To
  Oracle Application Testing Suite 12.5.0.3 cpe:2.3:a:oracle:application_testing_suite:12.5.0.3
  Oracle Application Testing Suite 13.1.0.1 cpe:2.3:a:oracle:application_testing_suite:13.1.0.1
  Oracle Application Testing Suite 13.2.0.1 cpe:2.3:a:oracle:application_testing_suite:13.2.0.1
  Oracle Application Testing Suite 13.3.0.1 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1
  Oracle Big Data Discovery 1.6.0 cpe:2.3:a:oracle:big_data_discovery:1.6.0
  Oracle Communications Converged Application Server prior 7.0.0.1 version cpe:2.3:a:oracle:communications_converged_application_server < 7.0.0.1
  Oracle Communications Diameter Signaling Router prior 8.3 version cpe:2.3:a:oracle:communications_diameter_signaling_router < 8.3
  Oracle Communications Performance Intelligence Center prior 10.2.1 version cpe:2.3:a:oracle:communications_performance_intelligence_center < 10.2.1
  Oracle Communications Services Gatekeeper prior 6.1.0.4.0 version cpe:2.3:a:oracle:communications_services_gatekeeper < 6.1.0.4.0
  Oracle Enterprise Manager Ops Center 12.2.2 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2
  Oracle Enterprise Manager Ops Center 12.3.3 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3
  Oracle Goldengate for Big Data 12.2.0.1 cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1
  Oracle Goldengate for Big Data 12.3.1.1 cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1
  Oracle Goldengate for Big Data 12.3.2.1 cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1
  Oracle Health Sciences Information Manager 3.0 cpe:2.3:a:oracle:health_sciences_information_manager:3.0
  Oracle Healthcare Master Person Index 3.0 cpe:2.3:a:oracle:healthcare_master_person_index:3.0
  Oracle Healthcare Master Person Index 4.0 cpe:2.3:a:oracle:healthcare_master_person_index:4.0
  Oracle Insurance Calculation Engine 10.1.1 cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1
  Oracle Insurance Calculation Engine 10.2 cpe:2.3:a:oracle:insurance_calculation_engine:10.2
  Oracle Insurance Calculation Engine 10.2.1 cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1
  Oracle Insurance Rules Palette 10.0 cpe:2.3:a:oracle:insurance_rules_palette:10.0
  Oracle Insurance Rules Palette 10.1 cpe:2.3:a:oracle:insurance_rules_palette:10.1
  Oracle Insurance Rules Palette 10.2 cpe:2.3:a:oracle:insurance_rules_palette:10.2
  Oracle Insurance Rules Palette 11.0 cpe:2.3:a:oracle:insurance_rules_palette:11.0
  Oracle Insurance Rules Palette 11.1 cpe:2.3:a:oracle:insurance_rules_palette:11.1
  Oracle Primavera Gateway 15.2 cpe:2.3:a:oracle:primavera_gateway:15.2
  Oracle Primavera Gateway 16.2 cpe:2.3:a:oracle:primavera_gateway:16.2
  Oracle Primavera Gateway 17.12 cpe:2.3:a:oracle:primavera_gateway:17.12
  Oracle Retail Back Office 14.0 cpe:2.3:a:oracle:retail_back_office:14.0
  Oracle Retail Back Office 14.1 cpe:2.3:a:oracle:retail_back_office:14.1
  Oracle Retail Central Office 14.0 cpe:2.3:a:oracle:retail_central_office:14.0
  Oracle Retail Central Office 14.1 cpe:2.3:a:oracle:retail_central_office:14.1
  Oracle Retail Customer Insights 15.0 cpe:2.3:a:oracle:retail_customer_insights:15.0
  Oracle Retail Customer Insights 16.0 cpe:2.3:a:oracle:retail_customer_insights:16.0
  Oracle Retail Integration Bus 14.0.1 cpe:2.3:a:oracle:retail_integration_bus:14.0.1
  Oracle Retail Integration Bus 14.0.2 cpe:2.3:a:oracle:retail_integration_bus:14.0.2
  Oracle Retail Integration Bus 14.0.3 cpe:2.3:a:oracle:retail_integration_bus:14.0.3
  Oracle Retail Integration Bus 14.0.4 cpe:2.3:a:oracle:retail_integration_bus:14.0.4
  Oracle Retail Integration Bus 14.1.1 cpe:2.3:a:oracle:retail_integration_bus:14.1.1
  Oracle Retail Integration Bus 14.1.2 cpe:2.3:a:oracle:retail_integration_bus:14.1.2
  Oracle Retail Integration Bus 14.1.3 cpe:2.3:a:oracle:retail_integration_bus:14.1.3
  Oracle Retail Integration Bus 15.0.0.1 cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1
  Oracle Retail Integration Bus 15.0.1 cpe:2.3:a:oracle:retail_integration_bus:15.0.1
  Oracle Retail Integration Bus 15.0.2 cpe:2.3:a:oracle:retail_integration_bus:15.0.2
  Oracle Retail Integration Bus 16.0 cpe:2.3:a:oracle:retail_integration_bus:16.0
  Oracle Retail Integration Bus 16.0.1 cpe:2.3:a:oracle:retail_integration_bus:16.0.1
  Oracle Retail Integration Bus 16.0.2 cpe:2.3:a:oracle:retail_integration_bus:16.0.2
  Oracle Retail Open Commerce Platform 5.3.0 cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0
  Oracle Retail Open Commerce Platform 6.0.0 cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0
  Oracle Retail Open Commerce Platform 6.0.1 cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1
  Oracle Retail Order Broker 5.1 cpe:2.3:a:oracle:retail_order_broker:5.1
  Oracle Retail Order Broker 5.2 cpe:2.3:a:oracle:retail_order_broker:5.2
  Oracle Retail Order Broker 15.0 cpe:2.3:a:oracle:retail_order_broker:15.0
  Oracle Retail Order Broker 16.0 cpe:2.3:a:oracle:retail_order_broker:16.0
  Oracle Retail Point-of-sale 14.0 cpe:2.3:a:oracle:retail_point-of-sale:14.0
  Oracle Retail Point-of-sale 14.1 cpe:2.3:a:oracle:retail_point-of-sale:14.1
  Oracle Retail Predictive Application Server 14.0 cpe:2.3:a:oracle:retail_predictive_application_server:14.0
  Oracle Retail Predictive Application Server 14.1 cpe:2.3:a:oracle:retail_predictive_application_server:14.1
  Oracle Retail Predictive Application Server 15.0 cpe:2.3:a:oracle:retail_predictive_application_server:15.0
  Oracle Retail Predictive Application Server 16.0 cpe:2.3:a:oracle:retail_predictive_application_server:16.0
  Oracle Retail Returns Management 14.0 cpe:2.3:a:oracle:retail_returns_management:14.0
  Oracle Retail Returns Management 14.1 cpe:2.3:a:oracle:retail_returns_management:14.1
  Oracle Service Architecture Leveraging Tuxedo 12.1.3.0.0 cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0
  Oracle Service Architecture Leveraging Tuxedo 12.2.2.0.0 cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0
  Oracle Tape Library Acsls 8.4 cpe:2.3:a:oracle:tape_library_acsls:8.4