2018-04-11 15:29:00 2020-07-15 05:15:00

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Oracle Tape library acsls 8.4 * * * (not an official CPE) Oracle Service architecture leveraging tuxedo 12.2.2.0.0 * * * (not an official CPE) Oracle Service architecture leveraging tuxedo 12.1.3.0.0 * * * (not an official CPE) Oracle Retail predictive application server 16.0 * * * (not an official CPE) Oracle Retail predictive application server 15.0 * * * (not an official CPE) Oracle Retail predictive application server 14.1 * * * (not an official CPE) Oracle Retail predictive application server 14.0 * * * (not an official CPE) Oracle Retail order broker 16.0 * * * (not an official CPE) Oracle Retail order broker 15.0 * * * (not an official CPE) Oracle Retail order broker 5.2 * * * (not an official CPE) Oracle Retail open commerce platform 6.0.1 * * * (not an official CPE) Oracle Retail order broker 5.1 * * * (not an official CPE) Oracle Retail open commerce platform 6.0.0 * * * (not an official CPE) Oracle Retail open commerce platform 5.3.0 * * * (not an official CPE) Oracle Retail customer insights 16.0 * * * (not an official CPE) Oracle Primavera gateway 17.12 * * * (not an official CPE) Oracle Retail customer insights 15.0 * * * (not an official CPE) Oracle Primavera gateway 16.2 * * * (not an official CPE) Oracle Insurance rules palette 11.1 * * * (not an official CPE) Oracle Primavera gateway 15.2 * * * (not an official CPE) Oracle Insurance rules palette 11.0 * * * (not an official CPE) Oracle Insurance rules palette 10.2 * * * (not an official CPE) Oracle Insurance rules palette 10.1 * * * (not an official CPE) Oracle Insurance calculation engine 10.2.1 * * * (not an official CPE) Oracle Insurance rules palette 10.0 * * * (not an official CPE) Oracle Insurance calculation engine 10.2 * * * (not an official CPE) Oracle Insurance calculation engine 10.1.1 * * * (not an official CPE) Oracle Healthcare master person index 4.0 * * * (not an official CPE) Oracle Healthcare master person index 3.0 * * * (not an official CPE) Oracle Health sciences information manager 3.0 * * * (not an official CPE) Oracle Goldengate for big data 12.3.2.1 * * * (not an official CPE) Oracle Goldengate for big data 12.3.1.1 * * * (not an official CPE) Oracle Goldengate for big data 12.2.0.1 * * * (not an official CPE) Oracle Communications services gatekeeper * * * * (not an official CPE) Oracle Communications performance intelligence center * * * * (not an official CPE) Oracle Communications diameter signaling router * * * * (not an official CPE) Oracle Communications converged application server * * * * (not an official CPE) Oracle Big data discovery 1.6.0 * * * (not an official CPE) Oracle Application testing suite 13.3.0.1 * * * (not an official CPE) Oracle Application testing suite 13.2.0.1 * * * (not an official CPE) Oracle Application testing suite 13.1.0.1 * * * (not an official CPE) Oracle Application testing suite 12.5.0.3 * * * (not an official CPE) Pivotal software Spring framework * * * * (not an official CPE) Pivotal software Spring framework * * * * (not an official CPE)