CVE-2018-11040
Cross-domain Request vulnerability in spring-core (Maven)
What is CVE-2018-11040 About?
This vulnerability in Spring Framework allows web applications to enable cross-domain requests via JSONP through `AbstractJsonpResponseBodyAdvice` and `MappingJackson2JsonView`, even if not explicitly enabled by default. If `MappingJackson2JsonView` is configured, JSONP support becomes active, potentially leading to information disclosure or other cross-domain attacks. Exploitation relies on the presence and configuration of `MappingJackson2JsonView`.
Affected Software
- org.springframework:spring-core
- >5.0.0.RELEASE, <5.0.7.RELEASE
- >4.3.0.RELEASE, <4.3.18.RELEASE
Technical Details
Spring Framework versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18, among older unsupported versions, can implicitly enable JSONP (JSON with Padding) support for REST controllers and browser requests. While AbstractJsonpResponseBodyAdvice and MappingJackson2JsonView are not enabled by default in Spring Framework or Spring Boot, if an application explicitly configures MappingJackson2JsonView, JSONP support automatically becomes available. This means that by appending jsonp or callback parameters to a request, an attacker can trick a victim's browser into making a cross-domain request to the vulnerable application. The application's response will then be wrapped in a JavaScript function call, bypassing the Same-Origin Policy and allowing the attacker to read the sensitive data that would normally be restricted to the originating domain.
What is the Impact of CVE-2018-11040?
Successful exploitation may allow attackers to bypass the Same-Origin Policy, leading to information disclosure, session hijacking, or other cross-site scripting (XSS) related attacks.
What is the Exploitability of CVE-2018-11040?
Exploitation requires the target application to have MappingJackson2JsonView configured. The attacker would then craft a malicious webpage containing JavaScript that makes a cross-domain request to the vulnerable Spring application endpoint, including valid jsonp or callback query parameters. The complexity is low for the attacker. Authentication to the vulnerable application is required for the sensitive data to be returned via JSONP; therefore, the victim must be logged in to the application for successful data exfiltration. No specific privileges are needed beyond being an authenticated user. This is primarily a remote, client-side vulnerability. The major risk factor is the deployment of MappingJackson2JsonView in an application that serves sensitive data and processes untrusted user requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-11040?
Available Upgrade Options
- org.springframework:spring-core
- >4.3.0.RELEASE, <4.3.18.RELEASE → Upgrade to 4.3.18.RELEASE
- org.springframework:spring-core
- >5.0.0.RELEASE, <5.0.7.RELEASE → Upgrade to 5.0.7.RELEASE
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-11040
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
What are Similar Vulnerabilities to CVE-2018-11040?
Similar Vulnerabilities: CVE-2013-6429 , CVE-2015-3192 , CVE-2015-5211 , CVE-2016-5399 , CVE-2019-11267
