CVE-2018-1272 -- libspring-javaID: oval:org.secpod.oval:def:2001379 | Date: (C)2019-06-06 (M)2022-06-23 |
Class: VULNERABILITY | Family: unix |
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application receives input from a remote client, and then uses that input to make a multipart request to another server , it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Product: |
libspring-core-java |