CVE-2018-1258

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 11-05-2018 10:29

Last modified: - 11-04-2022 07:18

Total changes: - 6

Description

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

Low

Privileges required

Unchanged

Scope

None

User interaction

8.8

Base score

2.8

5.9

Exploitability score

Impact score

Verification logic

vendor=oracle AND product=agile_plm AND version=9.3.3

vendor=oracle AND product=agile_plm AND version=9.3.4

vendor=oracle AND product=agile_plm AND version=9.3.5

vendor=oracle AND product=agile_plm AND version=9.3.6

vendor=oracle AND product=application_testing_suite AND version=10.1

vendor=oracle AND product=application_testing_suite AND version=12.5.0.3

vendor=oracle AND product=application_testing_suite AND version=13.1.0.1

vendor=oracle AND product=application_testing_suite AND version=13.2.0.1

vendor=oracle AND product=application_testing_suite AND version=13.3.0.1

vendor=oracle AND product=big_data_discovery AND version=1.6.0

vendor=oracle AND product=communications_converged_application_server AND versionEndExcluding=7.0.0.1

vendor=oracle AND product=communications_diameter_signaling_router AND versionEndExcluding=8.3

vendor=oracle AND product=communications_network_integrity AND versionEndIncluding=7.3.6 AND versionStartIncluding=7.3.2

vendor=oracle AND product=communications_performance_intelligence_center AND versionEndExcluding=10.2.1

vendor=oracle AND product=communications_services_gatekeeper AND versionEndExcluding=6.1.0.4.0

vendor=oracle AND product=endeca_information_discovery_integrator AND version=3.1.0

vendor=oracle AND product=endeca_information_discovery_integrator AND version=3.2.0

vendor=oracle AND product=enterprise_manager_for_mysql_database AND version=13.2

vendor=oracle AND product=enterprise_manager_ops_center AND version=12.2.2

vendor=oracle AND product=enterprise_manager_ops_center AND version=12.3.3

vendor=oracle AND product=enterprise_repository AND version=11.1.1.7.0

vendor=oracle AND product=enterprise_repository AND version=12.1.3.0.0

vendor=oracle AND product=goldengate_for_big_data AND version=12.2.0.1

vendor=oracle AND product=goldengate_for_big_data AND version=12.3.1.1

vendor=oracle AND product=goldengate_for_big_data AND version=12.3.2.1

vendor=oracle AND product=health_sciences_information_manager AND version=3.0

vendor=oracle AND product=healthcare_master_person_index AND version=3.0

vendor=oracle AND product=healthcare_master_person_index AND version=4.0

vendor=oracle AND product=hospitality_guest_access AND version=4.2.0

vendor=oracle AND product=hospitality_guest_access AND version=4.2.1

vendor=oracle AND product=insurance_calculation_engine AND version=10.1.1

vendor=oracle AND product=insurance_calculation_engine AND version=10.2

vendor=oracle AND product=insurance_calculation_engine AND version=10.2.1

vendor=oracle AND product=insurance_policy_administration AND version=10.0

vendor=oracle AND product=insurance_policy_administration AND version=10.1

vendor=oracle AND product=insurance_policy_administration AND version=10.2

vendor=oracle AND product=insurance_policy_administration AND version=11.0

vendor=oracle AND product=insurance_rules_palette AND version=10.0

vendor=oracle AND product=insurance_rules_palette AND version=10.1

vendor=oracle AND product=insurance_rules_palette AND version=10.2

vendor=oracle AND product=insurance_rules_palette AND version=11.0

vendor=oracle AND product=insurance_rules_palette AND version=11.1

vendor=oracle AND product=micros_lucas AND version=2.9.5

vendor=oracle AND product=mysql_enterprise_monitor AND versionEndIncluding=8.0.2.8191

vendor=oracle AND product=peoplesoft_enterprise_fin_install AND version=9.2

vendor=oracle AND product=retail_assortment_planning AND version=14.1

vendor=oracle AND product=retail_assortment_planning AND version=15.0

vendor=oracle AND product=retail_assortment_planning AND version=16.0

vendor=oracle AND product=retail_back_office AND version=14.0

vendor=oracle AND product=retail_back_office AND version=14.1

vendor=oracle AND product=retail_central_office AND version=14.0

vendor=oracle AND product=retail_central_office AND version=14.1

vendor=oracle AND product=retail_customer_insights AND version=15.0

vendor=oracle AND product=retail_customer_insights AND version=16.0

vendor=oracle AND product=retail_financial_integration AND version=13.2

vendor=oracle AND product=retail_financial_integration AND version=14.0

vendor=oracle AND product=retail_financial_integration AND version=14.1

vendor=oracle AND product=retail_financial_integration AND version=15.0

vendor=oracle AND product=retail_financial_integration AND version=16.0

vendor=oracle AND product=retail_integration_bus AND version=14.1.2

vendor=oracle AND product=retail_point-of-service AND version=14.0

vendor=oracle AND product=retail_point-of-service AND version=14.1

vendor=oracle AND product=retail_returns_management AND version=14.0

vendor=oracle AND product=retail_returns_management AND version=14.1

vendor=oracle AND product=retail_xstore_point_of_service AND version=17.0

vendor=oracle AND product=service_architecture_leveraging_tuxedo AND version=12.1.3.0.0

vendor=oracle AND product=service_architecture_leveraging_tuxedo AND version=12.2.2.0.0

vendor=oracle AND product=tape_library_acsls AND version=8.4

vendor=oracle AND product=weblogic_server AND version=10.3.6.0

vendor=oracle AND product=weblogic_server AND version=12.1.3.0

vendor=oracle AND product=weblogic_server AND version=12.2.1.2

vendor=oracle AND product=weblogic_server AND version=12.2.1.3

vendor=netapp AND product=oncommand_insight AND version=-

vendor=netapp AND product=oncommand_unified_manager AND target_software=vsphere AND versionStartIncluding=9.4

vendor=netapp AND product=oncommand_unified_manager AND target_software=windows AND versionStartIncluding=7.3

vendor=netapp AND product=snapcenter AND version=-

vendor=netapp AND product=oncommand_workflow_automation AND version=-

vendor=netapp AND product=storage_automation_store AND version=-

vendor=Red Hat Enterprise Linux AND product=fuse AND version=7.3.0

Reference

https://pivotal.io/security/cve-2018-1258
104222-Third Party Advisory, VDB Entry
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
1041896-Third Party Advisory, VDB Entry
1041888-Third Party Advisory, VDB Entry
https://security.netapp.com/advisory/ntap-20181018-0002/
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
RHSA-2019:2413-Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html
N/A-Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html

Keywords

CVE-2018-1258

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-1258

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures