Bug#911786: libspring-java: CVE-2018-15756
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 24 20:03:12 BST 2018
Source: libspring-java
Version: 4.3.19-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libspring-java.
CVE-2018-15756[0]:
| Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10,
| versions 4.3.x prior to 4.3.20, and older unsupported versions on the
| 4.2.x branch provide support for range requests when serving static
| resources through the ResourceHttpRequestHandler, or starting in 5.0
| when an annotated controller returns an
| org.springframework.core.io.Resource. A malicious user (or attacker)
| can add a range header with a high number of ranges, or with wide
| ranges that overlap, or both, for a denial of service attack. This
| vulnerability affects applications that depend on either spring-webmvc
| or spring-webflux. Such applications must also have a registration for
| serving static resources (e.g. JS, CSS, images, and others), or have
| an annotated controller that returns an
| org.springframework.core.io.Resource. Spring Boot applications that
| depend on spring-boot-starter-web or spring-boot-starter-webflux are
| ready to serve static resources out of the box and are therefore
| vulnerable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
[1] https://pivotal.io/security/cve-2018-15756
Please adjust the affected versions in the BTS as needed, but
basically as well already it is know older 4.2 versions (wich are
unsupported) are affected as well.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list