Spring Framework, versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot. However when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. References: https://pivotal.io/security/cve-2018-11040
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1591933]
Mitigation: According to the upstream advisory, this vulnerability only applies to applications that do all of the following: * Explicitly configure MappingJackson2JsonView. * Do not set the jsonpParameterNames property of MappingJackson2JsonView to an empty set. * Expose sensitive user information over endpoints that can render content with JSONP.
Statement: From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact when JSONP is used in certain circumstances. Given the libraries themselves are not used in a vulnerable way, being only used as part of tests, no package update to mitigate this flaw for Open Daylight is required. The package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
The vulnerability exist in org.springframework.web which is not a dependency of Fuse 7. Marked as not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11040