Candidate: CVE-2018-1270
PublicDate: 2018-04-06 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270
 https://pivotal.io/security/cve-2018-1270
 https://bugs.launchpad.net/ubuntu/+source/saaj/+bug/1814133
Description:
 Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to
 4.3.15 and older unsupported versions, allow applications to expose STOMP
 over WebSocket endpoints with a simple, in-memory STOMP broker through the
 spring-messaging module. A malicious user (or attacker) can craft a message
 to the broker that can lead to a remote code execution attack.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895114
Priority: high
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libspring-java:
upstream_libspring-java: needs-triage
precise/esm_libspring-java: DNE
trusty_libspring-java: ignored (out of standard support)
trusty/esm_libspring-java: not-affected (code not present)
xenial_libspring-java: not-affected (code not present)
artful_libspring-java: ignored (reached end-of-life)
bionic_libspring-java: released (4.3.22-1~18.04)
cosmic_libspring-java: released (4.3.22-1~18.04)
disco_libspring-java: not-affected (4.3.22-2)
devel_libspring-java: not-affected (4.3.22-2)