Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass Vulnerability
BID:104222
CVE-2018-1258 |Info
Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass Vulnerability
| Bugtraq ID: | 104222 |
| Class: | Design Error |
| CVE: |
CVE-2018-1258 |
| Remote: | Yes |
| Local: | No |
| Published: | May 09 2018 12:00AM |
| Updated: | Jul 17 2019 09:00AM |
| Credit: | Spring Security Team. |
| Vulnerable: |
Pivotal Spring Security 0 Pivotal Spring Framework 5.0.5.RELEASE Oracle Weblogic Server 10.3.6 0 Oracle Weblogic Server 12.2.1.3.0 Oracle Weblogic Server 12.2.1.3 Oracle Weblogic Server 12.1.3.0 Oracle Utilities Network Management System 1.12.0.3 Oracle Retail Service Backbone 16.0.1 Oracle Retail Predictive Application Server 16.0 Oracle Retail Predictive Application Server 15.0.3.100 Oracle Retail Predictive Application Server 14.1.3.37 Oracle Retail Predictive Application Server 14.0.3.26 Oracle Retail Integration Bus 14.1.2 Oracle Retail Financial Integration 16.0 Oracle Retail Financial Integration 15.0 Oracle Retail Financial Integration 14.1 Oracle Retail Financial Integration 14.0 Oracle Retail Financial Integration 13.2 Oracle Retail Customer Insights 16.0 Oracle Retail Customer Insights 15.0 Oracle Retail Assortment Planning 16.0 Oracle Retail Assortment Planning 15.0 Oracle Retail Assortment Planning 14.1 Oracle Primavera Gateway 17.12 Oracle Primavera Gateway 16.2 Oracle Primavera Gateway 15.2 Oracle MySQL Enterprise Monitor 8.0.2.8191 Oracle MySQL Enterprise Monitor 4.0.6.5281 Oracle MySQL Enterprise Monitor 3.4.9.4237 Oracle MICROS Lucas 2.9.5 Oracle Insurance Rules Palette 10.2 Oracle Insurance Rules Palette 10.0 Oracle Insurance Calculation Engine 10.2 Oracle Hospitality Guest Access 4.2.1 Oracle Hospitality Guest Access 4.2 Oracle Healthcare Master Person Index 4.0 Oracle Healthcare Master Person Index 3.0 Oracle Health Sciences Information Manager 3.0 Oracle FLEXCUBE Private Banking 2.2 1 Oracle FLEXCUBE Private Banking 2.0.0.0 Oracle FLEXCUBE Private Banking 12.1.0.0 Oracle FLEXCUBE Private Banking 12.0.3.0 Oracle FLEXCUBE Private Banking 12.0.1.0 Oracle Enterprise Manager Ops Center 12.3.3 Oracle Enterprise Manager Base Platform 13.3.0.0.0 Oracle Enterprise Manager Base Platform 13.2.0.0.0 Oracle Enterprise Manager Base Platform 12.1.0.5.0 Oracle Enterprise Manager 13.2.0.0 Oracle Endeca Information Discovery Integrator 3.2 Oracle Endeca Information Discovery Integrator 3.1 Oracle Communications Unified Inventory Management 7.4 Oracle Communications Unified Inventory Management 7.3.5 Oracle Communications Unified Inventory Management 7.3.4 Oracle Communications Unified Inventory Management 7.3.2 Oracle Communications Services Gatekeeper 6.0 Oracle Communications Services Gatekeeper 5.1 Oracle Communications Performance Intelligence Center (PIC) Software 10.2 Oracle Communications Performance Intelligence Center (PIC) Software 10.1.5.1 Oracle Communications Performance Intelligence Center 10.1.5 Oracle Communications Performance Intelligence Center 10.1 Oracle Communications Performance Intelligence Center 9.0.3 Oracle Communications Performance Intelligence Center 9.0 Oracle Communications Diameter Signaling Router 7.1 Oracle Communications Diameter Signaling Router 6.0.2 Oracle Communications Diameter Signaling Router 6.0 Oracle Communications Diameter Signaling Router 5.1 Oracle Communications Diameter Signaling Router 4.1.6 Oracle Communications Diameter Signaling Router 4.1 Oracle Communications Diameter Signaling Router 8.0 Oracle Communications Diameter Signaling Router 7.0 Oracle Communications Diameter Signaling Router 5.0 Oracle Communications Diameter Signaling Router 4.0 Oracle Communications Diameter Signaling Router 3.0 Oracle Application Testing Suite 13.3.0.1 Oracle Application Testing Suite 13.2.0.1 Oracle Application Testing Suite 13.1.0.1 Oracle Application Testing Suite 12.5.0.3 Oracle Agile PLM 9.3.5 Oracle Agile PLM 9.3.3 Oracle Agile PLM 9.3.6 Oracle Agile PLM 9.3.4 |
| Not Vulnerable: |
Pivotal Spring Framework 5.0.6.RELEASE Oracle Communications Services Gatekeeper 6.1.0.4.0 Oracle Communications Performance Intelligence Center (PIC) Software 10.2.1 Oracle Communications Diameter Signaling Router 8.3 |
Discussion
Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass Vulnerability
Spring Security and Spring Framework are prone to authorization-bypass vulnerability.
An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
Spring Security and Spring Framework are prone to authorization-bypass vulnerability.
An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
Exploit / POC
Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass Vulnerability
Currently, we are not aware of any exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently, we are not aware of any exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Spring Security and Spring Framework CVE-2018-1258 Authorization Bypass Vulnerability
References:
References:
- CVE-2018-1258: Unauthorized Access with Spring Security Method Security (Pivotal)
- Oracle Critical Patch Update Advisory - April 2019 (Oracle)
- Oracle Critical Patch Update Advisory - January 2019 (Oracle)
- Oracle Critical Patch Update Advisory - July 2019 (Oracle)
- Oracle Critical Patch Update Advisory - October 2018 (Oracle)