Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Remediation

References

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103697

https://access.redhat.com/errata/RHSA-2018:1320

https://access.redhat.com/errata/RHSA-2018:2669

https://pivotal.io/security/cve-2018-1272

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related Vulnerabilities

CVE-2022-36067 Vulnerability in npm package vm2

CVE-2023-28709 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2021-39134 Vulnerability in npm package @npmcli/arborist

CVE-2020-13410 Vulnerability in npm package aedes

CVE-2023-26488 Vulnerability in npm package @openzeppelin/contracts-upgradeable

Severity

High

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory VDB Entry Vendor Advisory NVD-CWE-noinfo