Bug 1591931 (CVE-2018-11040)
Summary: | CVE-2018-11040 springframework: cross-domain requests via JSONP through AbstractJsonpResponseBodyAdvice | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aileenc, alazarot, anstephe, apevec, bmcclain, chazlett, chrisw, dblechte, dfediuck, drieden, eedri, etirelli, gvarsami, ibek, java-sig-commits, jcoleman, jjoyce, jolee, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kverlaen, ldimaggi, lef, lhh, lpeer, lpetrovi, lsurette, markmc, mburns, mgoldboi, michal.skrivanek, mkolesni, nwallace, paradhya, puntogil, rbryant, Rhev-m-bugs, rrajasek, rsynek, rwagner, rzhang, sbonazzo, sclewis, sdaley, sherold, sisharma, slinaber, ssaha, tcunning, tdecacqu, tkirby, vbellur, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | springframework 5.0.7, springframework 4.3.18 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:05:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1591933, 1648712, 1648714, 1648716, 1648718, 1648719 | ||
Bug Blocks: | 1639954 |
Description
Laura Pardo
2018-06-15 19:36:05 UTC
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1591933] Mitigation: According to the upstream advisory, this vulnerability only applies to applications that do all of the following: * Explicitly configure MappingJackson2JsonView. * Do not set the jsonpParameterNames property of MappingJackson2JsonView to an empty set. * Expose sensitive user information over endpoints that can render content with JSONP. Statement: From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact when JSONP is used in certain circumstances. Given the libraries themselves are not used in a vulnerable way, being only used as part of tests, no package update to mitigate this flaw for Open Daylight is required. The package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. The vulnerability exist in org.springframework.web which is not a dependency of Fuse 7. Marked as not affected. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11040 |