Candidate: CVE-2018-11040
PublicDate: 2018-06-25 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040
 https://pivotal.io/security/cve-2018-11040
Description:
 Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18
 and older unsupported versions, allows web applications to enable
 cross-domain requests via JSONP (JSON with Padding) through
 AbstractJsonpResponseBodyAdvice for REST controllers and
 MappingJackson2JsonView for browser requests. Both are not enabled by
 default in Spring Framework nor Spring Boot, however, when
 MappingJackson2JsonView is configured in an application, JSONP support is
 automatically ready to use through the "jsonp" and "callback" JSONP
 parameters, enabling cross-domain requests.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_libspring-java:
upstream_libspring-java: released (4.3.19-1)
precise/esm_libspring-java: DNE
trusty_libspring-java: ignored (out of standard support)
trusty/esm_libspring-java: needed
xenial_libspring-java: ignored (end of standard support, was needed)
artful_libspring-java: ignored (reached end-of-life)
bionic_libspring-java: not-affected (4.3.19-1)
cosmic_libspring-java: not-affected (4.3.19-1)
disco_libspring-java: not-affected (4.3.19-1)
eoan_libspring-java: not-affected (4.3.19-1)
focal_libspring-java: not-affected (4.3.19-1)
groovy_libspring-java: not-affected (4.3.19-1)
hirsute_libspring-java: not-affected (4.3.19-1)
impish_libspring-java: not-affected (4.3.19-1)
jammy_libspring-java: not-affected (4.3.19-1)
devel_libspring-java: not-affected (4.3.19-1)