Multipart Request Vulnerability in Spring Framework by Pivotal
CVE-2018-1272

7.5HIGH

Key Information:

Vendor: Spring By Pivotal
Status: Spring Framework
Vendor: CVE Published:; 6 April 2018

What is CVE-2018-1272?

The Spring Framework, specifically versions 5.0 prior to 5.0.5 and 4.3 prior to 4.3.15, is susceptible to a multipart request vulnerability. This issue arises when a Spring MVC or Spring WebFlux server application (referred to as server A) processes input from a client and uses that input to create a multipart request to another server (server B). An attacker may exploit this vulnerability by inserting an additional multipart into the request's content from server A. If server B relies on the part content for critical information, such as usernames or user roles, this can lead to unauthorized privilege escalation, undermining application security.

Affected Version(s)

Spring Framework Versions prior to 5.0.5 and 4.3.15

References

http://www.securityfocus.com/bid/103697

vdb-entryx_refsource_BID

https://access.redhat.com/errata/RHSA-2018:2669

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2018:1320

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 6, 2018
Vulnerability Reserved
Dec 6, 2017

Spring By Pivotal

What is CVE-2018-1272?

Affected Version(s)

References

CVSS V3.1

Timeline