製品・ソフトウェアに関する情報

JVN脆弱性詳細

Spring Framework におけるセキュリティチェックに関する脆弱性

タイトル	Spring Framework におけるセキュリティチェックに関する脆弱性
概要	Spring Framework には、セキュリティチェックに関する脆弱性が存在します。
想定される影響	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2018年4月9日0:00
登録日	2018年5月14日14:24
最終更新日	2018年5月14日14:24

CVSS3.0 : 緊急
スコア	9.8
ベクター	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 危険
スコア	7.5
ベクター	AV:N/AC:L/Au:N/C:P/I:P/A:P

影響を受けるシステム

Pivotal Software, Inc.

Spring Framework 4.3.16 未満の 4.3

Spring Framework 5.0.5 未満の 5.0

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-1275	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1275
National Vulnerability Database (NVD)
2	CVE-2018-1275	https://nvd.nist.gov/vuln/detail/CVE-2018-1275
Pivotal Software, Inc.
3	CVE-2018-1275: Address partial fix for CVE-2018-1270	https://pivotal.io/security/cve-2018-1275

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-358	https://cwe.mitre.org/data/definitions/358.html

変更履歴

No	変更内容	変更日
1	[2018年05月14日] 掲載	2018年5月14日14:24

NVD脆弱性情報

CVE-2018-1275

概要	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
公表日	2018年4月11日22:29
登録日	2021年3月1日18:50
最終更新日	2024年11月21日12:59

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:vmware:spring_framework::::::::	5.0.0			5.0.5
cpe:2.3:a:vmware:spring_framework::::::::	4.3.0			4.3.16

構成2	以上	以下	より上	未満
cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*
cpe:2.3:a:oracle:primavera_gateway:15.2:::::::*
cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:::::::*
cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::				8.3
cpe:2.3:a:oracle:communications_performance_intelligence_center::::::::				10.2.1
cpe:2.3:a:oracle:insurance_rules_palette:10.0:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:10.2:::::::*
cpe:2.3:a:oracle:communications_services_gatekeeper::::::::				6.1.0.4.0
cpe:2.3:a:oracle:health_sciences_information_manager:3.0:::::::*
cpe:2.3:a:oracle:healthcare_master_person_index:3.0:::::::*
cpe:2.3:a:oracle:healthcare_master_person_index:4.0:::::::*
cpe:2.3:a:oracle:insurance_calculation_engine:10.2:::::::*
cpe:2.3:a:oracle:retail_customer_insights:15.0:::::::*
cpe:2.3:a:oracle:retail_customer_insights:16.0:::::::*
cpe:2.3:a:oracle:tape_library_acsls:8.4:::::::*
cpe:2.3:a:oracle:communications_converged_application_server::::::::				7.0.0.1
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:14.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:14.1:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:15.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:16.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.1:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.2:::::::*
cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:::::::*
cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:::::::*
cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:::::::*
cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:10.1:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.0:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.1:::::::*
cpe:2.3:a:oracle:primavera_gateway:17.12:::::::*
cpe:2.3:a:oracle:big_data_discovery:1.6.0:::::::*
cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:::::::*
cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:::::::*
cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
2	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
3	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch Third Party Advisory
4	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch Third Party Advisory
5	http://www.securityfocus.com/bid/103771	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/103771	Third Party Advisory VDB Entry
7	http://www.securitytracker.com/id/1041301	Third Party Advisory VDB Entry
8	http://www.securitytracker.com/id/1041301	Third Party Advisory VDB Entry
9	https://access.redhat.com/errata/RHSA-2018:1320	Third Party Advisory
10	https://access.redhat.com/errata/RHSA-2018:1320	Third Party Advisory
11	https://access.redhat.com/errata/RHSA-2018:2939	Third Party Advisory
12	https://access.redhat.com/errata/RHSA-2018:2939	Third Party Advisory
13	https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E
14	https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E
15	https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E
16	https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E
17	https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
18	https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
19	https://pivotal.io/security/cve-2018-1275	Vendor Advisory
20	https://pivotal.io/security/cve-2018-1275	Vendor Advisory
21	https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
22	https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
23	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
24	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
25	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
26	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
27	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
28	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory

共通脆弱性一覧

構成2	以上	以下	より上	未満
cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*
cpe:2.3:a:oracle:primavera_gateway:15.2:::::::*
cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:::::::*
cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::				8.3
cpe:2.3:a:oracle:communications_performance_intelligence_center::::::::				10.2.1
cpe:2.3:a:oracle:insurance_rules_palette:10.0:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:10.2:::::::*
cpe:2.3:a:oracle:communications_services_gatekeeper::::::::				6.1.0.4.0
cpe:2.3:a:oracle:health_sciences_information_manager:3.0:::::::*
cpe:2.3:a:oracle:healthcare_master_person_index:3.0:::::::*
cpe:2.3:a:oracle:healthcare_master_person_index:4.0:::::::*
cpe:2.3:a:oracle:insurance_calculation_engine:10.2:::::::*
cpe:2.3:a:oracle:retail_customer_insights:15.0:::::::*
cpe:2.3:a:oracle:retail_customer_insights:16.0:::::::*
cpe:2.3:a:oracle:tape_library_acsls:8.4:::::::*
cpe:2.3:a:oracle:communications_converged_application_server::::::::				7.0.0.1
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:14.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:14.1:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:15.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:16.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.1:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.2:::::::*
cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:::::::*
cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:::::::*
cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:::::::*
cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:10.1:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.0:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.1:::::::*
cpe:2.3:a:oracle:primavera_gateway:17.12:::::::*
cpe:2.3:a:oracle:big_data_discovery:1.6.0:::::::*
cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:::::::*
cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:::::::*
cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:::::::*