researchers have discovered three vulnerabilities in the Spring Development , one of them could be exploited by a attacker to execute arbitrary on applications built with it.

Pivotal’s Spring is widely used open source framework for the development of web applications.  Affected Spring Framework versions are 5.0 to 5.0.4, 4.3 to 4.3.14, and older versions.

The security advisory published by Pivotal includes technical details of the following three vulnerabilities;

  • CVE-2018-1270: Remote Code Execution with spring-messaging, it is rated as “Critical”.

“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module.” reads the advisory.

An attacker can send specially crafted messages to the broker in order to trigger the remote code execution flaw.

  • CVE-2018-1271: Directory Traversal with Spring MVC on Windows, it is rated as “High”.

“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, ).” reads the advisory. 

An attacker can use a specially crafted URL to lead a directory traversal .

  • CVE-2018-1272: Multipart Content Pollution with Spring Framework, it is rated as “Low”.

“When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.” reads the advisory.

An attacker that is able to guess the multipart boundary value chosen by server A for the multipart request to server B could successfully exploit the issue. This that the attacker needs to gain the control of the server or have to find a way to see the HTTP log of server A through a separate attack vector.

Pivotal's Spring framework Data REST  - Pivotals Spring Data REST - A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now!Security Affairs

The above issued are addressed with the Spring Framework 5.0.5 and 4.3.15. Pivotal also released Spring Boot 2.0.1 and

Development teams need to upgrade their software to the latest versions as soon as possible.

Pierluigi Paganini

(Security Affairs – hacking, Spring framework)

Source link


Please enter your comment!
Please enter your name here