Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Remediation

References

https://pivotal.io/security/cve-2018-1272

http://www.securityfocus.com/bid/103697

https://access.redhat.com/errata/RHSA-2018:1320

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://access.redhat.com/errata/RHSA-2018:2669

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Related Vulnerabilities

CVE-2017-9802 Vulnerability in maven package org.apache.sling:org.apache.sling.servlets.post

CVE-2022-22965 Vulnerability in maven package org.springframework.boot:spring-boot-starter-webflux

CVE-2021-32859 Vulnerability in npm package baremetrics-calendar

CVE-2023-46496 Vulnerability in npm package @evershop/evershop

CVE-2022-36893 Vulnerability in maven package org.jenkins-ci.plugins:rpmsign-plugin

Severity

High

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry Patch NVD-CWE-noinfo