Information Exposure Affecting org.springframework:spring-web package, versions [4.3.0.RELEASE,4.3.18.RELEASE) [5.0.0.RELEASE,5.0.7.RELEASE)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORK-31689
- published 25 Dec 2016
- disclosed 25 Dec 2016
- credit Mariusz Luciow
Introduced: 25 Dec 2016
CVE-2018-11040 Open this link in a new tabHow to fix?
Upgrade org.springframework:spring-web
to version 4.3.18.RELEASE, 5.0.7.RELEASE or higher.
Overview
org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.
Affected versions of this package are vulnerable to Information Exposure. It allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice
for REST controllers, and MappingJackson2JsonView
for browser requests. When MappingJackson2JsonView
is configured in an application, JSONP support is automatically ready to use through the jsonp
and callback
JSONP parameters, enabling cross-domain requests.
Allowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts.