Candidate: CVE-2018-1257
PublicDate: 2018-05-11 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1257
 https://pivotal.io/security/cve-2018-1257
Description:
 Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to
 4.3.17, and older unsupported versions allows applications to expose STOMP
 over WebSocket endpoints with a simple, in-memory STOMP broker through the
 spring-messaging module. A malicious user (or attacker) can craft a message
 to the broker that can lead to a regular expression, denial of service
 attack.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_libspring-java:
upstream_libspring-java: released (4.3.17)
precise/esm_libspring-java: DNE
trusty_libspring-java: ignored (out of standard support)
trusty/esm_libspring-java: needed
xenial_libspring-java: ignored (end of standard support, was needed)
artful_libspring-java: ignored (reached end-of-life)
bionic_libspring-java: not-affected (4.3.19-1)
cosmic_libspring-java: not-affected (4.3.19-1)
disco_libspring-java: not-affected (4.3.19-1)
eoan_libspring-java: not-affected (4.3.19-1)
focal_libspring-java: not-affected (4.3.19-1)
groovy_libspring-java: not-affected (4.3.19-1)
hirsute_libspring-java: not-affected (4.3.19-1)
impish_libspring-java: not-affected (4.3.19-1)
jammy_libspring-java: not-affected (4.3.19-1)
devel_libspring-java: not-affected (4.3.19-1)