CVE-2018-1270
CVE-2018-1270
Vexday Risk Score
25Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 77.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
06 Apr 2018Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Affected products
Spring by Pivotal · Spring FrameworkWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://access.redhat.com/errata/RHSA-2018:2939https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlhttps://pivotal.io/security/cve-2018-1270https://www.exploit-db.com/exploits/44796/https://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html