CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
dellCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
vmwarespring_framework
4.2.0 ≤
𝑥
< 4.3.20
vmwarespring_framework
5.0.0 ≤
𝑥
< 5.0.10
vmwarespring_framework
5.1.0
oracleagile_plm
9.3.3
oracleagile_plm
9.3.4
oracleagile_plm
9.3.5
oracleagile_plm
9.3.6
oraclecommunications_brm_-_elastic_charging_engine
11.3
oraclecommunications_brm_-_elastic_charging_engine
12.0
oraclecommunications_converged_application_server_-_service_controller
6.0
oraclecommunications_converged_application_server_-_service_controller
6.1
oraclecommunications_diameter_signaling_router
8.0.0
oraclecommunications_diameter_signaling_router
8.1
oraclecommunications_diameter_signaling_router
8.2
oraclecommunications_diameter_signaling_router
8.2.1
oraclecommunications_element_manager
8.1.1
oraclecommunications_element_manager
8.2.0
oraclecommunications_element_manager
8.2.1
oraclecommunications_online_mediation_controller
6.1
oraclecommunications_session_report_manager
8.0.0
oraclecommunications_session_report_manager
8.1.0
oraclecommunications_session_report_manager
8.1.1
oraclecommunications_session_report_manager
8.2.0
oraclecommunications_session_report_manager
8.2.1
oraclecommunications_session_route_manager
8.0.0
oraclecommunications_session_route_manager
8.1.0
oraclecommunications_session_route_manager
8.1.1
oraclecommunications_session_route_manager
8.2.0
oraclecommunications_session_route_manager
8.2.1
oraclecommunications_unified_inventory_management
7.3
oraclecommunications_unified_inventory_management
7.4.0
oracleendeca_information_discovery_integrator
3.2.0
oracleenterprise_manager_for_fusion_applications
13.3.0.0
oracleenterprise_manager_ops_center
12.3.3
oraclefinancial_services_analytical_applications_infrastructure
8.0.2 ≤
𝑥
≤ 8.0.8
oracleflexcube_private_banking
12.0.1
oracleflexcube_private_banking
12.0.3
oracleflexcube_private_banking
12.1.0
oraclegoldengate_application_adapters
12.3.2.1.0
oraclehealthcare_master_person_index
3.0
oraclehealthcare_master_person_index
4.0.2
oracleidentity_manager_connector
9.0
oracleinsurance_calculation_engine
9.7
oracleinsurance_calculation_engine
10.0
oracleinsurance_calculation_engine
10.1
oracleinsurance_calculation_engine
10.2
oracleinsurance_policy_administration_j2ee
10.0
oracleinsurance_policy_administration_j2ee
10.1
oracleinsurance_policy_administration_j2ee
10.2
oracleinsurance_policy_administration_j2ee
10.2.0
oracleinsurance_policy_administration_j2ee
10.2.4
oracleinsurance_policy_administration_j2ee
11.0
oracleinsurance_policy_administration_j2ee
11.1.0
oracleinsurance_policy_administration_j2ee
11.2.0
oracleinsurance_rules_palette
10.0
oracleinsurance_rules_palette
10.1
oracleinsurance_rules_palette
10.2
oracleinsurance_rules_palette
10.2.0
oracleinsurance_rules_palette
10.2.4
oracleinsurance_rules_palette
11.0
oracleinsurance_rules_palette
11.0.2
oracleinsurance_rules_palette
11.1.0
oracleinsurance_rules_palette
11.2.0
oraclemysql_enterprise_monitor
𝑥
≤ 4.0.12
oraclemysql_enterprise_monitor
8.0.0 ≤
𝑥
≤ 8.0.20
oracleprimavera_analytics
18.8
oracleprimavera_gateway
15.2
oracleprimavera_gateway
16.2
oracleprimavera_gateway
17.12
oracleprimavera_gateway
18.8.0
oraclerapid_planning
12.1
oraclerapid_planning
12.2
oracleretail_advanced_inventory_planning
15.0
oracleretail_assortment_planning
15.0
oracleretail_assortment_planning
16.0
oracleretail_clearance_optimization_engine
14.0.5
oracleretail_financial_integration
14.0
oracleretail_financial_integration
14.1
oracleretail_financial_integration
15.0
oracleretail_financial_integration
16.0
oracleretail_integration_bus
15.0
oracleretail_integration_bus
15.0.3
oracleretail_integration_bus
16.0
oracleretail_integration_bus
16.0.3
oracleretail_invoice_matching
12.0
oracleretail_invoice_matching
13.0
oracleretail_invoice_matching
13.1
oracleretail_invoice_matching
13.2
oracleretail_invoice_matching
14.0
oracleretail_invoice_matching
14.1
oracleretail_markdown_optimization
13.4.4
oracleretail_order_broker
5.1
oracleretail_order_broker
5.2
oracleretail_order_broker
15.0
oracleretail_order_broker
16.0
oracleretail_predictive_application_server
14.0.3
oracleretail_predictive_application_server
14.0.3.26
oracleretail_predictive_application_server
14.1.3
oracleretail_predictive_application_server
14.1.3.37
oracleretail_predictive_application_server
15.0.3
oracleretail_predictive_application_server
15.0.3.100
oracleretail_predictive_application_server
16.0
oracleretail_predictive_application_server
16.0.3
oracleretail_service_backbone
15.0
oracleretail_service_backbone
16.0
oracleretail_service_backbone
16.0.1
oracleretail_xstore_point_of_service
7.1
oracletape_library_acsls
8.5
oraclewebcenter_sites
12.2.1.3.0
oracleweblogic_server
10.3.6.0.0
oracleweblogic_server
12.1.3.0.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bullseye
4.3.30-1
fixed
jessie
not-affected
sid
4.3.30-2
fixed
trixie
4.3.30-2
fixed
bookworm
4.3.30-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libspring-java
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
bionic
not-affected
xenial
needed
trusty
needed
References
http://www.securityfocus.com/bid/105703
https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
https://pivotal.io/security/cve-2018-15756
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
http://www.securityfocus.com/bid/105703
https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
https://pivotal.io/security/cve-2018-15756
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html