Details of VAR-201805-1190

ID

VAR-201805-1190

CVE

CVE-2018-1258

TITLE

Spring Framework Authorization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-005018

DESCRIPTION

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. Pivotal Software Spring Security is a set of security framework provided by American Pivotal Software Company to provide descriptive security protection for Spring-based applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Fuse 7.4.0 security update Advisory ID: RHSA-2019:2413-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413 Issue date: 2019-08-08 CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320 CVE-2018-8088 CVE-2018-10899 CVE-2018-15758 CVE-2019-0192 CVE-2019-3805 ==================================================================== 1. Summary: A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hazelcast: java deserialization in join cluster procedure leading to remote code execution (CVE-2016-10750) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899) * spring-security-oauth: Privilege escalation by manipulating saved authorization request (CVE-2018-15758) * solr: remote code execution due to unsafe deserialization (CVE-2019-0192) * thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320) * spring-security-core: Unauthorized Access with Spring Security Method Security (CVE-2018-1258) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.4.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security 1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution 1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class 1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization 1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution 5. References: https://access.redhat.com/security/cve/CVE-2016-10750 https://access.redhat.com/security/cve/CVE-2018-1258 https://access.redhat.com/security/cve/CVE-2018-1320 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/cve/CVE-2018-10899 https://access.redhat.com/security/cve/CVE-2018-15758 https://access.redhat.com/security/cve/CVE-2019-0192 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g 4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad VzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc 90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw gNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF Mnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+ 7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy GYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg N/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK UFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3 Aa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu NNAto03aZgE=rpUB -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.16

sources: NVD: CVE-2018-1258 // JVNDB: JVNDB-2018-005018 // BID: 104222 // VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // PACKETSTORM: 153980

AFFECTED PRODUCTS

vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3	Trust: 1.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.1.3.0	Trust: 1.3
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	14.1.2	Trust: 1.3
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	16.0	Trust: 1.3
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	15.0	Trust: 1.3
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	14.1	Trust: 1.3
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	14.0	Trust: 1.3
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	13.2	Trust: 1.3
vendor:	oracle	model:	retail customer insights	scope:	eq	version:	16.0	Trust: 1.3
vendor:	oracle	model:	retail customer insights	scope:	eq	version:	15.0	Trust: 1.3
vendor:	oracle	model:	retail assortment planning	scope:	eq	version:	16.0	Trust: 1.3
vendor:	oracle	model:	retail assortment planning	scope:	eq	version:	15.0	Trust: 1.3
vendor:	oracle	model:	retail assortment planning	scope:	eq	version:	14.1	Trust: 1.3
vendor:	oracle	model:	micros lucas	scope:	eq	version:	2.9.5	Trust: 1.3
vendor:	oracle	model:	insurance rules palette	scope:	eq	version:	10.2	Trust: 1.3
vendor:	oracle	model:	insurance rules palette	scope:	eq	version:	10.0	Trust: 1.3
vendor:	oracle	model:	insurance calculation engine	scope:	eq	version:	10.2	Trust: 1.3
vendor:	oracle	model:	hospitality guest access	scope:	eq	version:	4.2.1	Trust: 1.3
vendor:	oracle	model:	healthcare master person index	scope:	eq	version:	4.0	Trust: 1.3
vendor:	oracle	model:	healthcare master person index	scope:	eq	version:	3.0	Trust: 1.3
vendor:	oracle	model:	health sciences information manager	scope:	eq	version:	3.0	Trust: 1.3
vendor:	oracle	model:	enterprise manager ops center	scope:	eq	version:	12.3.3	Trust: 1.3
vendor:	oracle	model:	application testing suite	scope:	eq	version:	13.3.0.1	Trust: 1.3
vendor:	oracle	model:	application testing suite	scope:	eq	version:	13.2.0.1	Trust: 1.3
vendor:	oracle	model:	application testing suite	scope:	eq	version:	13.1.0.1	Trust: 1.3
vendor:	oracle	model:	application testing suite	scope:	eq	version:	12.5.0.3	Trust: 1.3
vendor:	oracle	model:	agile plm	scope:	eq	version:	9.3.5	Trust: 1.3
vendor:	oracle	model:	agile plm	scope:	eq	version:	9.3.3	Trust: 1.3
vendor:	oracle	model:	agile plm	scope:	eq	version:	9.3.6	Trust: 1.3
vendor:	oracle	model:	agile plm	scope:	eq	version:	9.3.4	Trust: 1.3
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	17.0	Trust: 1.0
vendor:	oracle	model:	communications network integrity	scope:	lte	version:	7.3.6	Trust: 1.0
vendor:	netapp	model:	oncommand unified manager	scope:	gte	version:	7.3	Trust: 1.0
vendor:	redhat	model:	fuse	scope:	eq	version:	7.3.0	Trust: 1.0
vendor:	pivotal	model:	spring security	scope:	eq	version:	*	Trust: 1.0
vendor:	oracle	model:	insurance rules palette	scope:	eq	version:	11.0	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	10.3.6.0	Trust: 1.0
vendor:	oracle	model:	retail central office	scope:	eq	version:	14.0	Trust: 1.0
vendor:	oracle	model:	service architecture leveraging tuxedo	scope:	eq	version:	12.2.2.0.0	Trust: 1.0
vendor:	oracle	model:	enterprise repository	scope:	eq	version:	12.1.3.0.0	Trust: 1.0
vendor:	oracle	model:	mysql enterprise monitor	scope:	lte	version:	8.0.2.8191	Trust: 1.0
vendor:	oracle	model:	communications network integrity	scope:	gte	version:	7.3.2	Trust: 1.0
vendor:	oracle	model:	retail back office	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	application testing suite	scope:	eq	version:	10.1	Trust: 1.0
vendor:	oracle	model:	communications converged application server	scope:	lt	version:	7.0.0.1	Trust: 1.0
vendor:	oracle	model:	hospitality guest access	scope:	eq	version:	4.2.0	Trust: 1.0
vendor:	netapp	model:	oncommand insight	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	snapcenter	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	goldengate for big data	scope:	eq	version:	12.3.2.1	Trust: 1.0
vendor:	oracle	model:	retail returns management	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	insurance policy administration	scope:	eq	version:	10.0	Trust: 1.0
vendor:	netapp	model:	storage automation store	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	oncommand unified manager	scope:	gte	version:	9.4	Trust: 1.0
vendor:	oracle	model:	endeca information discovery integrator	scope:	eq	version:	3.1.0	Trust: 1.0
vendor:	oracle	model:	insurance policy administration	scope:	eq	version:	11.0	Trust: 1.0
vendor:	oracle	model:	enterprise manager ops center	scope:	eq	version:	12.2.2	Trust: 1.0
vendor:	oracle	model:	insurance rules palette	scope:	eq	version:	10.1	Trust: 1.0
vendor:	oracle	model:	retail point-of-service	scope:	eq	version:	14.0	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise fin install	scope:	eq	version:	9.2	Trust: 1.0
vendor:	oracle	model:	goldengate for big data	scope:	eq	version:	12.3.1.1	Trust: 1.0
vendor:	oracle	model:	retail central office	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	insurance rules palette	scope:	eq	version:	11.1	Trust: 1.0
vendor:	oracle	model:	insurance calculation engine	scope:	eq	version:	10.2.1	Trust: 1.0
vendor:	oracle	model:	service architecture leveraging tuxedo	scope:	eq	version:	12.1.3.0.0	Trust: 1.0
vendor:	oracle	model:	insurance policy administration	scope:	eq	version:	10.2	Trust: 1.0
vendor:	oracle	model:	communications diameter signaling router	scope:	lt	version:	8.3	Trust: 1.0
vendor:	oracle	model:	tape library acsls	scope:	eq	version:	8.4	Trust: 1.0
vendor:	netapp	model:	oncommand workflow automation	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	enterprise manager for mysql database	scope:	eq	version:	13.2	Trust: 1.0
vendor:	oracle	model:	enterprise repository	scope:	eq	version:	11.1.1.7.0	Trust: 1.0
vendor:	oracle	model:	insurance calculation engine	scope:	eq	version:	10.1.1	Trust: 1.0
vendor:	oracle	model:	insurance policy administration	scope:	eq	version:	10.1	Trust: 1.0
vendor:	oracle	model:	endeca information discovery integrator	scope:	eq	version:	3.2.0	Trust: 1.0
vendor:	oracle	model:	retail back office	scope:	eq	version:	14.0	Trust: 1.0
vendor:	oracle	model:	goldengate for big data	scope:	eq	version:	12.2.0.1	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.2	Trust: 1.0
vendor:	oracle	model:	retail point-of-service	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	big data discovery	scope:	eq	version:	1.6.0	Trust: 1.0
vendor:	vmware	model:	spring framework	scope:	eq	version:	5.0.5	Trust: 1.0
vendor:	oracle	model:	retail returns management	scope:	eq	version:	14.0	Trust: 1.0
vendor:	oracle	model:	communications performance intelligence center	scope:	lt	version:	10.2.1	Trust: 1.0
vendor:	oracle	model:	communications services gatekeeper	scope:	lt	version:	6.1.0.4.0	Trust: 1.0
vendor:	pivotal	model:	spring framework	scope:	lt	version:	5.0.6	Trust: 0.8
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.2.8	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.2.7	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.3.3	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.2.5	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.2.9	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.3.1	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.3.4	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.3.0	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.3.2	Trust: 0.6
vendor:	pivotal	model:	spring framework	scope:	eq	version:	4.2.4	Trust: 0.6
vendor:	pivotal	model:	spring security	scope:	eq	version:	0	Trust: 0.3
vendor:	pivotal	model:	spring framework 5.0.5.release	scope:	-	version:	-	Trust: 0.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	10.3.60	Trust: 0.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3.0	Trust: 0.3
vendor:	oracle	model:	utilities network management system	scope:	eq	version:	1.12.0.3	Trust: 0.3
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	16.0.1	Trust: 0.3
vendor:	oracle	model:	retail predictive application server	scope:	eq	version:	16.0	Trust: 0.3
vendor:	oracle	model:	retail predictive application server	scope:	eq	version:	15.0.3.100	Trust: 0.3
vendor:	oracle	model:	retail predictive application server	scope:	eq	version:	14.1.3.37	Trust: 0.3
vendor:	oracle	model:	retail predictive application server	scope:	eq	version:	14.0.3.26	Trust: 0.3
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	17.12	Trust: 0.3
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	16.2	Trust: 0.3
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	15.2	Trust: 0.3
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	8.0.2.8191	Trust: 0.3
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	4.0.6.5281	Trust: 0.3
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.4.9.4237	Trust: 0.3
vendor:	oracle	model:	hospitality guest access	scope:	eq	version:	4.2	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	2.21	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	2.0.0.0	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.1.0.0	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.0.3.0	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.0.1.0	Trust: 0.3
vendor:	oracle	model:	enterprise manager base platform	scope:	eq	version:	13.3.0.0.0	Trust: 0.3
vendor:	oracle	model:	enterprise manager base platform	scope:	eq	version:	13.2.0.0.0	Trust: 0.3
vendor:	oracle	model:	enterprise manager base platform	scope:	eq	version:	12.1.0.5.0	Trust: 0.3
vendor:	oracle	model:	enterprise manager	scope:	eq	version:	13.2.0.0	Trust: 0.3
vendor:	oracle	model:	endeca information discovery integrator	scope:	eq	version:	3.2	Trust: 0.3
vendor:	oracle	model:	endeca information discovery integrator	scope:	eq	version:	3.1	Trust: 0.3
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.4	Trust: 0.3
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.3.5	Trust: 0.3
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.3.4	Trust: 0.3
vendor:	oracle	model:	communications unified inventory management	scope:	eq	version:	7.3.2	Trust: 0.3
vendor:	oracle	model:	communications services gatekeeper	scope:	eq	version:	6.0	Trust: 0.3
vendor:	oracle	model:	communications services gatekeeper	scope:	eq	version:	5.1	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center software	scope:	eq	version:	10.2	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center software	scope:	eq	version:	10.1.5.1	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center	scope:	eq	version:	10.1.5	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center	scope:	eq	version:	10.1	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center	scope:	eq	version:	9.0.3	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center	scope:	eq	version:	9.0	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	7.1	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	6.0	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	5.1	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	4.1.6	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	4.1	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	8.0	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	7.0	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	5.0	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	4.0	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	eq	version:	3.0	Trust: 0.3
vendor:	pivotal	model:	spring framework 5.0.6.release	scope:	ne	version:	-	Trust: 0.3
vendor:	oracle	model:	communications services gatekeeper	scope:	ne	version:	6.1.0.4.0	Trust: 0.3
vendor:	oracle	model:	communications performance intelligence center software	scope:	ne	version:	10.2.1	Trust: 0.3
vendor:	oracle	model:	communications diameter signaling router	scope:	ne	version:	8.3	Trust: 0.3

sources: BID: 104222 // JVNDB: JVNDB-2018-005018 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-1258
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-1258
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201805-404
value:	HIGH
Trust: 0.6
VULHUB:	VHN-122553
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-1258
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-1258
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-122553
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-1258
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-1258
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // JVNDB: JVNDB-2018-005018 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.1
problemtype:	CWE-285	Trust: 0.9

sources: VULHUB: VHN-122553 // JVNDB: JVNDB-2018-005018 // NVD: CVE-2018-1258

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-404

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201805-404

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005018

PATCH

title:	CVE-2018-1258: Unauthorized Access with Spring Security Method Security	url:	https://pivotal.io/security/cve-2018-1258	Trust: 0.8
title:	Pivotal Spring Security and Spring Framework Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80031	Trust: 0.6
title:	Red Hat: Important: Red Hat Fuse 7.4.0 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192413 - Security Advisory	Trust: 0.1
title:	Red Hat: CVE-2018-1258	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-1258	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - July 2018	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - January 2019	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - October 2018	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385	Trust: 0.1
title:	nvd_scrapper	url:	https://github.com/abhav/nvd_scrapper	Trust: 0.1
title:	cybsec	url:	https://github.com/ilmari666/cybsec	Trust: 0.1

sources: VULMON: CVE-2018-1258 // JVNDB: JVNDB-2018-005018 // CNNVD: CNNVD-201805-404

EXTERNAL IDS

db:	NVD	id:	CVE-2018-1258	Trust: 3.0
db:	BID	id:	104222	Trust: 2.1
db:	SECTRACK	id:	1041896	Trust: 1.8
db:	SECTRACK	id:	1041888	Trust: 1.8
db:	JVNDB	id:	JVNDB-2018-005018	Trust: 0.8
db:	CNNVD	id:	CNNVD-201805-404	Trust: 0.7
db:	PACKETSTORM	id:	153980	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3040	Trust: 0.6
db:	VULHUB	id:	VHN-122553	Trust: 0.1
db:	VULMON	id:	CVE-2018-1258	Trust: 0.1

sources: VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // BID: 104222 // JVNDB: JVNDB-2018-005018 // PACKETSTORM: 153980 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

REFERENCES

url:	http://www.securityfocus.com/bid/104222	Trust: 3.1
url:	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Trust: 2.7
url:	https://access.redhat.com/errata/rhsa-2019:2413	Trust: 2.5
url:	https://www.oracle.com/security-alerts/cpujul2020.html	Trust: 2.4
url:	https://pivotal.io/security/cve-2018-1258	Trust: 2.1
url:	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Trust: 2.1
url:	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Trust: 2.1
url:	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Trust: 2.1
url:	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Trust: 1.8
url:	https://security.netapp.com/advisory/ntap-20181018-0002/	Trust: 1.8
url:	https://www.oracle.com/security-alerts/cpuapr2020.html	Trust: 1.8
url:	https://www.oracle.com/security-alerts/cpujan2020.html	Trust: 1.8
url:	https://www.oracle.com/security-alerts/cpujan2021.html	Trust: 1.8
url:	https://www.oracle.com/security-alerts/cpuoct2021.html	Trust: 1.8
url:	http://www.securitytracker.com/id/1041888	Trust: 1.8
url:	http://www.securitytracker.com/id/1041896	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-1258	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1258	Trust: 0.8
url:	http://pivotal.io/	Trust: 0.6
url:	https://packetstormsecurity.com/files/153980/red-hat-security-advisory-2019-2413-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3040/	Trust: 0.6
url:	https://www.oracle.com/security-alerts/cpujan2020verbose.html	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/863.html	Trust: 0.1
url:	https://tools.cisco.com/security/center/viewalert.x?alertid=57883	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/abhav/nvd_scrapper	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.4.0	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2018-1320	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2018-10899	Trust: 0.1
url:	https://access.redhat.com/security/team/contact/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-10750	Trust: 0.1
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-0192	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2018-8088	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10899	Trust: 0.1
url:	https://bugzilla.redhat.com/):	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-1320	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2016-10750	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15758	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8088	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-0192	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2018-1258	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-3805	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2018-15758	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3805	Trust: 0.1

sources: VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // BID: 104222 // JVNDB: JVNDB-2018-005018 // PACKETSTORM: 153980 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

CREDITS

Red Hat,Spring Security Team.

Trust: 0.6

sources: CNNVD: CNNVD-201805-404

SOURCES

db:	VULHUB	id:	VHN-122553
db:	VULMON	id:	CVE-2018-1258
db:	BID	id:	104222
db:	JVNDB	id:	JVNDB-2018-005018
db:	PACKETSTORM	id:	153980
db:	CNNVD	id:	CNNVD-201805-404
db:	NVD	id:	CVE-2018-1258

LAST UPDATE DATE

2024-08-14T12:58:28.693000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-122553	date:	2020-07-15T00:00:00
db:	VULMON	id:	CVE-2018-1258	date:	2022-04-11T00:00:00
db:	BID	id:	104222	date:	2019-07-17T09:00:00
db:	JVNDB	id:	JVNDB-2018-005018	date:	2018-07-04T00:00:00
db:	CNNVD	id:	CNNVD-201805-404	date:	2021-10-21T00:00:00
db:	NVD	id:	CVE-2018-1258	date:	2022-04-11T17:18:30.107

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-122553	date:	2018-05-11T00:00:00
db:	VULMON	id:	CVE-2018-1258	date:	2018-05-11T00:00:00
db:	BID	id:	104222	date:	2018-05-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-005018	date:	2018-07-04T00:00:00
db:	PACKETSTORM	id:	153980	date:	2019-08-08T14:34:03
db:	CNNVD	id:	CNNVD-201805-404	date:	2018-05-14T00:00:00
db:	NVD	id:	CVE-2018-1258	date:	2018-05-11T20:29:00.260