CVE-2018-1272
Privilege Escalation vulnerability in spring-core (Maven)
What is CVE-2018-1272 About?
Spring Framework versions 5.0 prior to 5.0.5 and 4.3 prior to 4.3.15 include a client-side multipart request vulnerability. This flaw allows a malicious actor to insert an extra multipart in requests to a server, potentially leading to privilege escalation. Exploitation requires specific application configurations and an ability to control or influence client-side input.
Affected Software
- org.springframework:spring-core
- >5.0.0, <5.0.5
- <4.3.15
Technical Details
The vulnerability arises when a Spring MVC or Spring WebFlux server application (server A) processes client input and then uses this input to construct and forward a multipart request to another server (server B). An attacker can inject an additional multipart section into the client input intended for server A. When server A constructs the new multipart request for server B, it fails to properly sanitize or reconstruct the multipart boundaries, leading to the attacker's injected multipart being misinterpreted by server B. If a critical field, such as a username or role, is later expected by server B, it might parse the attacker-controlled value instead of the legitimate one, resulting in logical flaws like privilege escalation.
What is the Impact of CVE-2018-1272?
Successful exploitation may allow attackers to achieve privilege escalation, gaining unauthorized access or elevated permissions within the application.
What is the Exploitability of CVE-2018-1272?
Exploitation presents moderate complexity, as it requires a specific application architecture where a Spring application acts as an intermediary for multipart requests to another server. Prerequisites include the ability to send malformed multipart input to the intermediary server. Authentication might be required to interact with the initial server (server A), depending on its configuration, but no specific elevated privileges are necessary on server A to initiate the attack. This is a remote vulnerability. The likelihood of exploitation is increased if the intermediary server blindly forwards client-provided multipart data without re-validation or reconstruction.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1272?
Available Upgrade Options
- org.springframework:spring-core
- <4.3.15 → Upgrade to 4.3.15
- org.springframework:spring-core
- >5.0.0, <5.0.5 → Upgrade to 5.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/103697
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-1272
- http://www.securityfocus.com/bid/103697
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://pivotal.io/security/cve-2018-1272
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://pivotal.io/security/cve-2018-1272
- https://www.oracle.com/security-alerts/cpujul2020.html
What are Similar Vulnerabilities to CVE-2018-1272?
Similar Vulnerabilities: CVE-2021-22961 , CVE-2022-22965 , CVE-2022-22947 , CVE-2020-5398 , CVE-2019-3795
