Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Remediation

References

https://pivotal.io/security/cve-2018-1272

http://www.securityfocus.com/bid/103697

https://access.redhat.com/errata/RHSA-2018:1320

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://access.redhat.com/errata/RHSA-2018:2669

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Related Vulnerabilities

CVE-2022-42130 Vulnerability in maven package com.liferay:com.liferay.dynamic.data.mapping.service

CVE-2023-24455 Vulnerability in maven package io.jenkins.plugins:visualexpert

CVE-2018-1000194 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-4973 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa

CVE-2022-41940 Vulnerability in npm package engine.io

Severity

High

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry Patch NVD-CWE-noinfo