2018-04-06 15:29:00 2020-07-15 05:15:00

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vector

NETWORK

Complexity

MEDIUM

Authentication

SINGLE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Oracle Tape library acsls 8.4 * * * (not an official CPE) Oracle Service architecture leveraging tuxedo 12.2.2.0.0 * * * (not an official CPE) Oracle Retail returns management 14.1 * * * (not an official CPE) Oracle Service architecture leveraging tuxedo 12.1.3.0.0 * * * (not an official CPE) Oracle Retail returns management 14.0 * * * (not an official CPE) Oracle Retail predictive application server 16.0 * * * (not an official CPE) Oracle Retail predictive application server 15.0 * * * (not an official CPE) Oracle Retail predictive application server 14.1 * * * (not an official CPE) Oracle Retail predictive application server 14.0 * * * (not an official CPE) Oracle Retail point-of-sale 14.1 * * * (not an official CPE) Oracle Retail point-of-sale 14.0 * * * (not an official CPE) Oracle Retail order broker 16.0 * * * (not an official CPE) Oracle Retail order broker 15.0 * * * (not an official CPE) Oracle Retail order broker 5.2 * * * (not an official CPE) Oracle Retail order broker 5.1 * * * (not an official CPE) Oracle Retail open commerce platform 6.0.1 * * * (not an official CPE) Oracle Retail open commerce platform 6.0.0 * * * (not an official CPE) Oracle Retail open commerce platform 5.3.0 * * * (not an official CPE) Oracle Retail integration bus 16.0.2 * * * (not an official CPE) Oracle Retail integration bus 16.0.1 * * * (not an official CPE) Oracle Retail integration bus 16.0 * * * (not an official CPE) Oracle Retail integration bus 15.0.0.1 * * * (not an official CPE) Oracle Retail integration bus 15.0.2 * * * (not an official CPE) Oracle Retail integration bus 15.0.1 * * * (not an official CPE) Oracle Retail integration bus 14.1.3 * * * (not an official CPE) Oracle Retail integration bus 14.1.2 * * * (not an official CPE) Oracle Retail integration bus 14.1.1 * * * (not an official CPE) Oracle Retail integration bus 14.0.2 * * * (not an official CPE) Oracle Retail integration bus 14.0.3 * * * (not an official CPE) Oracle Retail integration bus 14.0.4 * * * (not an official CPE) Oracle Retail customer insights 15.0 * * * (not an official CPE) Oracle Retail customer insights 16.0 * * * (not an official CPE) Oracle Retail integration bus 14.0.1 * * * (not an official CPE) Oracle Retail central office 14.1 * * * (not an official CPE) Oracle Retail central office 14.0 * * * (not an official CPE) Oracle Retail back office 14.1 * * * (not an official CPE) Oracle Retail back office 14.0 * * * (not an official CPE) Oracle Primavera gateway 17.12 * * * (not an official CPE) Oracle Primavera gateway 16.2 * * * (not an official CPE) Oracle Insurance rules palette 11.0 * * * (not an official CPE) Oracle Insurance rules palette 11.1 * * * (not an official CPE) Oracle Primavera gateway 15.2 * * * (not an official CPE) Oracle Insurance rules palette 10.2 * * * (not an official CPE) Oracle Insurance rules palette 10.1 * * * (not an official CPE) Oracle Insurance rules palette 10.0 * * * (not an official CPE) Oracle Insurance calculation engine 10.2 * * * (not an official CPE) Oracle Insurance calculation engine 10.2.1 * * * (not an official CPE) Oracle Insurance calculation engine 10.1.1 * * * (not an official CPE) Oracle Healthcare master person index 4.0 * * * (not an official CPE) Oracle Health sciences information manager 3.0 * * * (not an official CPE) Oracle Healthcare master person index 3.0 * * * (not an official CPE) Oracle Goldengate for big data 12.3.2.1 * * * (not an official CPE) Oracle Goldengate for big data 12.3.1.1 * * * (not an official CPE) Oracle Goldengate for big data 12.2.0.1 * * * (not an official CPE) Oracle Enterprise manager ops center 12.3.3 * * * (not an official CPE) Oracle Enterprise manager ops center 12.2.2 * * * (not an official CPE) Oracle Communications services gatekeeper * * * * (not an official CPE) Oracle Communications performance intelligence center * * * * (not an official CPE) Oracle Communications diameter signaling router * * * * (not an official CPE) Oracle Communications converged application server * * * * (not an official CPE) Oracle Big data discovery 1.6.0 * * * (not an official CPE) Oracle Application testing suite 13.2.0.1 * * * (not an official CPE) Oracle Application testing suite 13.3.0.1 * * * (not an official CPE) Oracle Application testing suite 13.1.0.1 * * * (not an official CPE) Oracle Application testing suite 12.5.0.3 * * * (not an official CPE) Pivotal software Spring framework * * * * (not an official CPE) Pivotal software Spring framework * * * * (not an official CPE) Pivotal software Spring framework * * * * (not an official CPE)