ID

VAR-201805-1190


CVE

CVE-2018-1258


TITLE

Spring Framework Authorization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-005018

DESCRIPTION

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. Pivotal Software Spring Security is a set of security framework provided by American Pivotal Software Company to provide descriptive security protection for Spring-based applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Fuse 7.4.0 security update Advisory ID: RHSA-2019:2413-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413 Issue date: 2019-08-08 CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320 CVE-2018-8088 CVE-2018-10899 CVE-2018-15758 CVE-2019-0192 CVE-2019-3805 ==================================================================== 1. Summary: A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hazelcast: java deserialization in join cluster procedure leading to remote code execution (CVE-2016-10750) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899) * spring-security-oauth: Privilege escalation by manipulating saved authorization request (CVE-2018-15758) * solr: remote code execution due to unsafe deserialization (CVE-2019-0192) * thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320) * spring-security-core: Unauthorized Access with Spring Security Method Security (CVE-2018-1258) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.4.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security 1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution 1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class 1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization 1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution 5. References: https://access.redhat.com/security/cve/CVE-2016-10750 https://access.redhat.com/security/cve/CVE-2018-1258 https://access.redhat.com/security/cve/CVE-2018-1320 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/cve/CVE-2018-10899 https://access.redhat.com/security/cve/CVE-2018-15758 https://access.redhat.com/security/cve/CVE-2019-0192 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g 4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad VzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc 90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw gNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF Mnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+ 7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy GYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg N/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK UFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3 Aa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu NNAto03aZgE=rpUB -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.16

sources: NVD: CVE-2018-1258 // JVNDB: JVNDB-2018-005018 // BID: 104222 // VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // PACKETSTORM: 153980

AFFECTED PRODUCTS

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.3

Trust: 1.3

vendor:oraclemodel:weblogic serverscope:eqversion:12.1.3.0

Trust: 1.3

vendor:oraclemodel:retail integration busscope:eqversion:14.1.2

Trust: 1.3

vendor:oraclemodel:retail financial integrationscope:eqversion:16.0

Trust: 1.3

vendor:oraclemodel:retail financial integrationscope:eqversion:15.0

Trust: 1.3

vendor:oraclemodel:retail financial integrationscope:eqversion:14.1

Trust: 1.3

vendor:oraclemodel:retail financial integrationscope:eqversion:14.0

Trust: 1.3

vendor:oraclemodel:retail financial integrationscope:eqversion:13.2

Trust: 1.3

vendor:oraclemodel:retail customer insightsscope:eqversion:16.0

Trust: 1.3

vendor:oraclemodel:retail customer insightsscope:eqversion:15.0

Trust: 1.3

vendor:oraclemodel:retail assortment planningscope:eqversion:16.0

Trust: 1.3

vendor:oraclemodel:retail assortment planningscope:eqversion:15.0

Trust: 1.3

vendor:oraclemodel:retail assortment planningscope:eqversion:14.1

Trust: 1.3

vendor:oraclemodel:micros lucasscope:eqversion:2.9.5

Trust: 1.3

vendor:oraclemodel:insurance rules palettescope:eqversion:10.2

Trust: 1.3

vendor:oraclemodel:insurance rules palettescope:eqversion:10.0

Trust: 1.3

vendor:oraclemodel:insurance calculation enginescope:eqversion:10.2

Trust: 1.3

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2.1

Trust: 1.3

vendor:oraclemodel:healthcare master person indexscope:eqversion:4.0

Trust: 1.3

vendor:oraclemodel:healthcare master person indexscope:eqversion:3.0

Trust: 1.3

vendor:oraclemodel:health sciences information managerscope:eqversion:3.0

Trust: 1.3

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.3.3

Trust: 1.3

vendor:oraclemodel:application testing suitescope:eqversion:13.3.0.1

Trust: 1.3

vendor:oraclemodel:application testing suitescope:eqversion:13.2.0.1

Trust: 1.3

vendor:oraclemodel:application testing suitescope:eqversion:13.1.0.1

Trust: 1.3

vendor:oraclemodel:application testing suitescope:eqversion:12.5.0.3

Trust: 1.3

vendor:oraclemodel:agile plmscope:eqversion:9.3.5

Trust: 1.3

vendor:oraclemodel:agile plmscope:eqversion:9.3.3

Trust: 1.3

vendor:oraclemodel:agile plmscope:eqversion:9.3.6

Trust: 1.3

vendor:oraclemodel:agile plmscope:eqversion:9.3.4

Trust: 1.3

vendor:oraclemodel:retail xstore point of servicescope:eqversion:17.0

Trust: 1.0

vendor:oraclemodel:communications network integrityscope:lteversion:7.3.6

Trust: 1.0

vendor:netappmodel:oncommand unified managerscope:gteversion:7.3

Trust: 1.0

vendor:redhatmodel:fusescope:eqversion:7.3.0

Trust: 1.0

vendor:pivotalmodel:spring securityscope:eqversion:*

Trust: 1.0

vendor:oraclemodel:insurance rules palettescope:eqversion:11.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:10.3.6.0

Trust: 1.0

vendor:oraclemodel:retail central officescope:eqversion:14.0

Trust: 1.0

vendor:oraclemodel:service architecture leveraging tuxedoscope:eqversion:12.2.2.0.0

Trust: 1.0

vendor:oraclemodel:enterprise repositoryscope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:mysql enterprise monitorscope:lteversion:8.0.2.8191

Trust: 1.0

vendor:oraclemodel:communications network integrityscope:gteversion:7.3.2

Trust: 1.0

vendor:oraclemodel:retail back officescope:eqversion:14.1

Trust: 1.0

vendor:oraclemodel:application testing suitescope:eqversion:10.1

Trust: 1.0

vendor:oraclemodel:communications converged application serverscope:ltversion:7.0.0.1

Trust: 1.0

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2.0

Trust: 1.0

vendor:netappmodel:oncommand insightscope:eqversion: -

Trust: 1.0

vendor:netappmodel:snapcenterscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:goldengate for big datascope:eqversion:12.3.2.1

Trust: 1.0

vendor:oraclemodel:retail returns managementscope:eqversion:14.1

Trust: 1.0

vendor:oraclemodel:insurance policy administrationscope:eqversion:10.0

Trust: 1.0

vendor:netappmodel:storage automation storescope:eqversion: -

Trust: 1.0

vendor:netappmodel:oncommand unified managerscope:gteversion:9.4

Trust: 1.0

vendor:oraclemodel:endeca information discovery integratorscope:eqversion:3.1.0

Trust: 1.0

vendor:oraclemodel:insurance policy administrationscope:eqversion:11.0

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.2.2

Trust: 1.0

vendor:oraclemodel:insurance rules palettescope:eqversion:10.1

Trust: 1.0

vendor:oraclemodel:retail point-of-servicescope:eqversion:14.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise fin installscope:eqversion:9.2

Trust: 1.0

vendor:oraclemodel:goldengate for big datascope:eqversion:12.3.1.1

Trust: 1.0

vendor:oraclemodel:retail central officescope:eqversion:14.1

Trust: 1.0

vendor:oraclemodel:insurance rules palettescope:eqversion:11.1

Trust: 1.0

vendor:oraclemodel:insurance calculation enginescope:eqversion:10.2.1

Trust: 1.0

vendor:oraclemodel:service architecture leveraging tuxedoscope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:insurance policy administrationscope:eqversion:10.2

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:ltversion:8.3

Trust: 1.0

vendor:oraclemodel:tape library acslsscope:eqversion:8.4

Trust: 1.0

vendor:netappmodel:oncommand workflow automationscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:enterprise manager for mysql databasescope:eqversion:13.2

Trust: 1.0

vendor:oraclemodel:enterprise repositoryscope:eqversion:11.1.1.7.0

Trust: 1.0

vendor:oraclemodel:insurance calculation enginescope:eqversion:10.1.1

Trust: 1.0

vendor:oraclemodel:insurance policy administrationscope:eqversion:10.1

Trust: 1.0

vendor:oraclemodel:endeca information discovery integratorscope:eqversion:3.2.0

Trust: 1.0

vendor:oraclemodel:retail back officescope:eqversion:14.0

Trust: 1.0

vendor:oraclemodel:goldengate for big datascope:eqversion:12.2.0.1

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.2

Trust: 1.0

vendor:oraclemodel:retail point-of-servicescope:eqversion:14.1

Trust: 1.0

vendor:oraclemodel:big data discoveryscope:eqversion:1.6.0

Trust: 1.0

vendor:vmwaremodel:spring frameworkscope:eqversion:5.0.5

Trust: 1.0

vendor:oraclemodel:retail returns managementscope:eqversion:14.0

Trust: 1.0

vendor:oraclemodel:communications performance intelligence centerscope:ltversion:10.2.1

Trust: 1.0

vendor:oraclemodel:communications services gatekeeperscope:ltversion:6.1.0.4.0

Trust: 1.0

vendor:pivotalmodel:spring frameworkscope:ltversion:5.0.6

Trust: 0.8

vendor:pivotalmodel:spring frameworkscope:eqversion:4.2.8

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.2.7

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.3.3

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.2.5

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.2.9

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.3.1

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.3.4

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.3.0

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.3.2

Trust: 0.6

vendor:pivotalmodel:spring frameworkscope:eqversion:4.2.4

Trust: 0.6

vendor:pivotalmodel:spring securityscope:eqversion:0

Trust: 0.3

vendor:pivotalmodel:spring framework 5.0.5.releasescope: - version: -

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3.60

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.3.0

Trust: 0.3

vendor:oraclemodel:utilities network management systemscope:eqversion:1.12.0.3

Trust: 0.3

vendor:oraclemodel:retail service backbonescope:eqversion:16.0.1

Trust: 0.3

vendor:oraclemodel:retail predictive application serverscope:eqversion:16.0

Trust: 0.3

vendor:oraclemodel:retail predictive application serverscope:eqversion:15.0.3.100

Trust: 0.3

vendor:oraclemodel:retail predictive application serverscope:eqversion:14.1.3.37

Trust: 0.3

vendor:oraclemodel:retail predictive application serverscope:eqversion:14.0.3.26

Trust: 0.3

vendor:oraclemodel:primavera gatewayscope:eqversion:17.12

Trust: 0.3

vendor:oraclemodel:primavera gatewayscope:eqversion:16.2

Trust: 0.3

vendor:oraclemodel:primavera gatewayscope:eqversion:15.2

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:8.0.2.8191

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:4.0.6.5281

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:3.4.9.4237

Trust: 0.3

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2

Trust: 0.3

vendor:oraclemodel:flexcube private bankingscope:eqversion:2.21

Trust: 0.3

vendor:oraclemodel:flexcube private bankingscope:eqversion:2.0.0.0

Trust: 0.3

vendor:oraclemodel:flexcube private bankingscope:eqversion:12.1.0.0

Trust: 0.3

vendor:oraclemodel:flexcube private bankingscope:eqversion:12.0.3.0

Trust: 0.3

vendor:oraclemodel:flexcube private bankingscope:eqversion:12.0.1.0

Trust: 0.3

vendor:oraclemodel:enterprise manager base platformscope:eqversion:13.3.0.0.0

Trust: 0.3

vendor:oraclemodel:enterprise manager base platformscope:eqversion:13.2.0.0.0

Trust: 0.3

vendor:oraclemodel:enterprise manager base platformscope:eqversion:12.1.0.5.0

Trust: 0.3

vendor:oraclemodel:enterprise managerscope:eqversion:13.2.0.0

Trust: 0.3

vendor:oraclemodel:endeca information discovery integratorscope:eqversion:3.2

Trust: 0.3

vendor:oraclemodel:endeca information discovery integratorscope:eqversion:3.1

Trust: 0.3

vendor:oraclemodel:communications unified inventory managementscope:eqversion:7.4

Trust: 0.3

vendor:oraclemodel:communications unified inventory managementscope:eqversion:7.3.5

Trust: 0.3

vendor:oraclemodel:communications unified inventory managementscope:eqversion:7.3.4

Trust: 0.3

vendor:oraclemodel:communications unified inventory managementscope:eqversion:7.3.2

Trust: 0.3

vendor:oraclemodel:communications services gatekeeperscope:eqversion:6.0

Trust: 0.3

vendor:oraclemodel:communications services gatekeeperscope:eqversion:5.1

Trust: 0.3

vendor:oraclemodel:communications performance intelligence center softwarescope:eqversion:10.2

Trust: 0.3

vendor:oraclemodel:communications performance intelligence center softwarescope:eqversion:10.1.5.1

Trust: 0.3

vendor:oraclemodel:communications performance intelligence centerscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:communications performance intelligence centerscope:eqversion:10.1

Trust: 0.3

vendor:oraclemodel:communications performance intelligence centerscope:eqversion:9.0.3

Trust: 0.3

vendor:oraclemodel:communications performance intelligence centerscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:7.1

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:6.0.2

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:6.0

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:5.1

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:4.1.6

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:4.1

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:8.0

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:7.0

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:5.0

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:4.0

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:eqversion:3.0

Trust: 0.3

vendor:pivotalmodel:spring framework 5.0.6.releasescope:neversion: -

Trust: 0.3

vendor:oraclemodel:communications services gatekeeperscope:neversion:6.1.0.4.0

Trust: 0.3

vendor:oraclemodel:communications performance intelligence center softwarescope:neversion:10.2.1

Trust: 0.3

vendor:oraclemodel:communications diameter signaling routerscope:neversion:8.3

Trust: 0.3

sources: BID: 104222 // JVNDB: JVNDB-2018-005018 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-1258
value: HIGH

Trust: 1.0

NVD: CVE-2018-1258
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201805-404
value: HIGH

Trust: 0.6

VULHUB: VHN-122553
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-1258
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-1258
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-122553
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-1258
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2018-1258
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // JVNDB: JVNDB-2018-005018 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.1

problemtype:CWE-285

Trust: 0.9

sources: VULHUB: VHN-122553 // JVNDB: JVNDB-2018-005018 // NVD: CVE-2018-1258

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-404

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201805-404

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005018

PATCH

title:CVE-2018-1258: Unauthorized Access with Spring Security Method Securityurl:https://pivotal.io/security/cve-2018-1258

Trust: 0.8

title:Pivotal Spring Security and Spring Framework Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80031

Trust: 0.6

title:Red Hat: Important: Red Hat Fuse 7.4.0 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192413 - Security Advisory

Trust: 0.1

title:Red Hat: CVE-2018-1258url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-1258

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - January 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - October 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385

Trust: 0.1

title:nvd_scrapperurl:https://github.com/abhav/nvd_scrapper

Trust: 0.1

title:cybsecurl:https://github.com/ilmari666/cybsec

Trust: 0.1

sources: VULMON: CVE-2018-1258 // JVNDB: JVNDB-2018-005018 // CNNVD: CNNVD-201805-404

EXTERNAL IDS

db:NVDid:CVE-2018-1258

Trust: 3.0

db:BIDid:104222

Trust: 2.1

db:SECTRACKid:1041896

Trust: 1.8

db:SECTRACKid:1041888

Trust: 1.8

db:JVNDBid:JVNDB-2018-005018

Trust: 0.8

db:CNNVDid:CNNVD-201805-404

Trust: 0.7

db:PACKETSTORMid:153980

Trust: 0.7

db:AUSCERTid:ESB-2019.3040

Trust: 0.6

db:VULHUBid:VHN-122553

Trust: 0.1

db:VULMONid:CVE-2018-1258

Trust: 0.1

sources: VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // BID: 104222 // JVNDB: JVNDB-2018-005018 // PACKETSTORM: 153980 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

REFERENCES

url:http://www.securityfocus.com/bid/104222

Trust: 3.1

url:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Trust: 2.7

url:https://access.redhat.com/errata/rhsa-2019:2413

Trust: 2.5

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 2.4

url:https://pivotal.io/security/cve-2018-1258

Trust: 2.1

url:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Trust: 2.1

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 2.1

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 2.1

url:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20181018-0002/

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpuapr2020.html

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpujan2021.html

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpuoct2021.html

Trust: 1.8

url:http://www.securitytracker.com/id/1041888

Trust: 1.8

url:http://www.securitytracker.com/id/1041896

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-1258

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1258

Trust: 0.8

url:http://pivotal.io/

Trust: 0.6

url:https://packetstormsecurity.com/files/153980/red-hat-security-advisory-2019-2413-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3040/

Trust: 0.6

url:https://www.oracle.com/security-alerts/cpujan2020verbose.html

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=57883

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/abhav/nvd_scrapper

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.4.0

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-1320

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-10899

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-10750

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-0192

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-8088

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-10899

Trust: 0.1

url:https://bugzilla.redhat.com/):

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-1320

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-10750

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-15758

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-8088

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-0192

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-1258

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3805

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-15758

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3805

Trust: 0.1

sources: VULHUB: VHN-122553 // VULMON: CVE-2018-1258 // BID: 104222 // JVNDB: JVNDB-2018-005018 // PACKETSTORM: 153980 // CNNVD: CNNVD-201805-404 // NVD: CVE-2018-1258

CREDITS

Red Hat,Spring Security Team.

Trust: 0.6

sources: CNNVD: CNNVD-201805-404

SOURCES

db:VULHUBid:VHN-122553
db:VULMONid:CVE-2018-1258
db:BIDid:104222
db:JVNDBid:JVNDB-2018-005018
db:PACKETSTORMid:153980
db:CNNVDid:CNNVD-201805-404
db:NVDid:CVE-2018-1258

LAST UPDATE DATE

2024-08-14T12:58:28.693000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-122553date:2020-07-15T00:00:00
db:VULMONid:CVE-2018-1258date:2022-04-11T00:00:00
db:BIDid:104222date:2019-07-17T09:00:00
db:JVNDBid:JVNDB-2018-005018date:2018-07-04T00:00:00
db:CNNVDid:CNNVD-201805-404date:2021-10-21T00:00:00
db:NVDid:CVE-2018-1258date:2022-04-11T17:18:30.107

SOURCES RELEASE DATE

db:VULHUBid:VHN-122553date:2018-05-11T00:00:00
db:VULMONid:CVE-2018-1258date:2018-05-11T00:00:00
db:BIDid:104222date:2018-05-09T00:00:00
db:JVNDBid:JVNDB-2018-005018date:2018-07-04T00:00:00
db:PACKETSTORMid:153980date:2019-08-08T14:34:03
db:CNNVDid:CNNVD-201805-404date:2018-05-14T00:00:00
db:NVDid:CVE-2018-1258date:2018-05-11T20:29:00.260