Spring Framework Vulnerabilities CVE-2022-22971 CVE-2018-11039 CVE-2018-11040 

Issue date: 21-09-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID

SECURITY-352, SECURITY-357

Affected Product Version(s)

15.1.0, 14.7.8, 13.4.18, and all previous versions


Severity 

Medium


Description

CVE-2022-22971

A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. The spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions are affected.

CVE-2018-11039

Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVE-2018-11040

Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot. However when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

The problems have been recognized and patched.

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.1.1, 14.7.9 or 13.4.19