Candidate: CVE-2018-11039
PublicDate: 2018-06-25 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11039
 https://pivotal.io/security/cve-2018-11039
Description:
 Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to
 4.3.18, and older unsupported versions) allow web applications to change
 the HTTP request method to any HTTP method (including TRACE) using the
 HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing
 XSS vulnerability, a malicious user (or attacker) can use this filter to
 escalate to an XST (Cross Site Tracing) attack.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_libspring-java:
upstream_libspring-java: released (4.3.19-1)
precise/esm_libspring-java: DNE
trusty_libspring-java: ignored (out of standard support)
trusty/esm_libspring-java: needed
xenial_libspring-java: ignored (end of standard support, was needed)
artful_libspring-java: ignored (reached end-of-life)
bionic_libspring-java: not-affected (4.3.19-1)
cosmic_libspring-java: not-affected (4.3.19-1)
disco_libspring-java: not-affected (4.3.19-1)
eoan_libspring-java: not-affected (4.3.19-1)
focal_libspring-java: not-affected (4.3.19-1)
groovy_libspring-java: not-affected (4.3.19-1)
hirsute_libspring-java: not-affected (4.3.19-1)
impish_libspring-java: not-affected (4.3.19-1)
jammy_libspring-java: not-affected (4.3.19-1)
devel_libspring-java: not-affected (4.3.19-1)