CVE-2018-11039
Cross-Site Tracing (XST) vulnerability in spring-web (Maven)
What is CVE-2018-11039 About?
This vulnerability in Spring Framework allows an attacker to escalate a pre-existing Cross-Site Scripting (XSS) vulnerability to a Cross-Site Tracing (XST) attack. It arises due to the `HiddenHttpMethodFilter` permitting HTTP method changes, including to TRACE. Exploiting this requires a prior XSS vulnerability.
Affected Software
- org.springframework:spring-web
- >5.0.0, <5.0.7
- >4.3.0, <4.3.18
Technical Details
The vulnerability exists in Spring Framework versions 5.0.x prior to 5.0.7, 4.3.x prior to 4.3.18, and older unsupported versions, specifically when the HiddenHttpMethodFilter is enabled in Spring MVC. This filter is designed to allow web applications to override the actual HTTP request method with a method specified in a hidden form field or request parameter. Crucially, the filter permits changing the method to any HTTP method, including TRACE. While TRACE is often disabled to mitigate XST, if it's implicitly allowed via this filter and an application has a pre-existing Cross-Site Scripting (XSS) vulnerability, an attacker can combine these to craft a malicious script. This script would send a TRACE request from the victim's browser to the vulnerable server, potentially retrieving sensitive cookie data or HTTPOnly content from the TRACE response, thereby escalating the XSS into an XST attack.
What is the Impact of CVE-2018-11039?
Successful exploitation may allow attackers to retrieve sensitive cookie data and other HTTP headers from the victim's browser, bypassing `HttpOnly` cookie protections and enabling session hijacking.
What is the Exploitability of CVE-2018-11039?
Exploitation of this vulnerability requires two primary conditions: a pre-existing Cross-Site Scripting (XSS) vulnerability within the application, and the HiddenHttpMethodFilter being enabled and allowing the TRACE method. An attacker would first need to successfully inject and execute malicious JavaScript via the XSS. This script would then craft and send a TRACE request using the HiddenHttpMethodFilter mechanism. No specific authentication or privilege escalation is required beyond successfully triggering the XSS. The attack is remote, as it relies on injecting client-side script into a victim's browser. The complexity is moderate, requiring knowledge of both XSS and how to leverage the Spring filter for method override. The presence of an active XSS significantly increases the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-11039?
Available Upgrade Options
- org.springframework:spring-web
- >4.3.0, <4.3.18 → Upgrade to 4.3.18
- org.springframework:spring-web
- >5.0.0, <5.0.7 → Upgrade to 5.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-framework/commit/f2694a8ed93f1f63f87ce45d0bb638478b426acd
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://pivotal.io/security/cve-2018-11039
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
- http://www.securityfocus.com/bid/107984
- https://github.com/spring-projects/spring-framework/commit/a5cd01a4c857aaaba7ccc51545fc73dd25b5cba5
- https://github.com/spring-projects/spring-framework/commit/dac97f1b7dac3e70ff603fb6fc9f205b95dd6b01
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
What are Similar Vulnerabilities to CVE-2018-11039?
Similar Vulnerabilities: CVE-2017-1000048 , CVE-2014-0054 , CVE-2007-3008 , CVE-2018-1271 , CVE-2009-3221
