CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Published: Oct 19, 2018
Updated: Nov 8, 2023
CVE: CVE-2018-15756
GHSA: GHSA-ffvq-7w96-97p7
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
vmware / spring_framework	4.2.0	4.3.20
vmware / spring_framework	5.0.0	5.0.10
vmware / spring_framework	5.1.0	5.1.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / insurance_policy_administration_j2ee	10.2.0	10.2.0.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / weblogic_server	12.1.3.0.0	12.1.3.0.0.x
oracle / retail_invoice_matching	13.0	13.0.x
oracle / flexcube_private_banking	12.0.1	12.0.1.x
oracle / primavera_gateway	16.2	16.2.x
oracle / primavera_gateway	15.2	15.2.x
oracle / retail_invoice_matching	12.0	12.0.x
oracle / flexcube_private_banking	12.0.3	12.0.3.x
oracle / insurance_rules_palette	10.2.0	10.2.0.x
oracle / retail_service_backbone	15.0	15.0.x
oracle / retail_integration_bus	15.0	15.0.x
oracle / weblogic_server	10.3.6.0.0	10.3.6.0.0.x
oracle / weblogic_server	12.2.1.3.0	12.2.1.3.0.x
oracle / communications_unified_inventory_management	7.3	7.3.x
oracle / enterprise_manager_ops_center	12.3.3	12.3.3.x
oracle / webcenter_sites	12.2.1.3.0	12.2.1.3.0.x
oracle / endeca_information_discovery_integrator	3.2.0	3.2.0.x
oracle / insurance_rules_palette	10.0	10.0.x
oracle / insurance_rules_palette	10.2	10.2.x
oracle / healthcare_master_person_index	3.0	3.0.x
oracle / insurance_calculation_engine	10.2	10.2.x
oracle / retail_predictive_application_server	16.0	16.0.x
oracle / retail_order_broker	5.1	5.1.x
oracle / retail_order_broker	5.2	5.2.x
oracle / retail_order_broker	15.0	15.0.x
oracle / retail_order_broker	16.0	16.0.x
oracle / insurance_rules_palette	10.1	10.1.x
oracle / insurance_rules_palette	11.0	11.0.x
oracle / primavera_gateway	17.12	17.12.x
oracle / retail_integration_bus	16.0	16.0.x
oracle / retail_assortment_planning	15.0	15.0.x
oracle / communications_converged_application_server_-_service_controller	6.1	6.1.x
oracle / communications_online_mediation_controller	6.1	6.1.x
oracle / retail_predictive_application_server	15.0.3	15.0.3.x
oracle / retail_clearance_optimization_engine	14.0.5	14.0.5.x
oracle / agile_plm	9.3.3	9.3.3.x
oracle / agile_plm	9.3.4	9.3.4.x
oracle / agile_plm	9.3.5	9.3.5.x
oracle / agile_plm	9.3.6	9.3.6.x
oracle / retail_assortment_planning	16.0	16.0.x
oracle / retail_financial_integration	14.0	14.0.x
oracle / retail_financial_integration	14.1	14.1.x
oracle / retail_financial_integration	15.0	15.0.x
oracle / retail_financial_integration	16.0	16.0.x
oracle / communications_unified_inventory_management	7.4.0	7.4.0.x
oracle / retail_invoice_matching	13.1	13.1.x
oracle / retail_invoice_matching	13.2	13.2.x
oracle / retail_invoice_matching	14.0	14.0.x
oracle / retail_invoice_matching	14.1	14.1.x
oracle / insurance_policy_administration_j2ee	10.0	10.0.x
oracle / insurance_policy_administration_j2ee	10.2	10.2.x
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / rapid_planning	12.1	12.1.x
oracle / rapid_planning	12.2	12.2.x
oracle / mysql_enterprise_monitor	-	4.0.12.x
oracle / communications_element_manager	8.2.0	8.2.0.x
oracle / communications_element_manager	8.2.1	8.2.1.x
oracle / communications_element_manager	8.1.1	8.1.1.x
oracle / mysql_enterprise_monitor	8.0.0	8.0.20.x
oracle / enterprise_manager_for_fusion_applications	13.3.0.0	13.3.0.0.x
oracle / communications_session_report_manager	8.1.1	8.1.1.x
oracle / communications_session_report_manager	8.2.0	8.2.0.x
oracle / communications_session_report_manager	8.2.1	8.2.1.x
oracle / communications_session_route_manager	8.1.1	8.1.1.x
oracle / communications_session_route_manager	8.2.0	8.2.0.x
oracle / communications_session_route_manager	8.2.1	8.2.1.x
oracle / goldengate_application_adapters	12.3.2.1.0	12.3.2.1.0.x
oracle / identity_manager_connector	9.0	9.0.x
oracle / communications_diameter_signaling_router	8.2.1	8.2.1.x
oracle / communications_diameter_signaling_router	8.0.0	8.0.0.x
oracle / communications_diameter_signaling_router	8.1	8.1.x
oracle / communications_diameter_signaling_router	8.2	8.2.x
oracle / retail_service_backbone	16.0	16.0.x
oracle / retail_integration_bus	15.0.3	15.0.3.x
oracle / financial_services_analytical_applications_infrastructure	8.0.2	8.0.8.x
oracle / primavera_gateway	18.8.0	18.8.0.x
oracle / communications_session_route_manager	8.0.0	8.0.0.x
oracle / communications_session_route_manager	8.1.0	8.1.0.x
oracle / communications_session_report_manager	8.0.0	8.0.0.x
oracle / communications_session_report_manager	8.1.0	8.1.0.x
oracle / tape_library_acsls	8.5	8.5.x
oracle / retail_predictive_application_server	14.0.3	14.0.3.x
oracle / retail_integration_bus	16.0.3	16.0.3.x
oracle / insurance_rules_palette	10.2.4	10.2.4.x
oracle / insurance_rules_palette	11.0.2	11.0.2.x
oracle / insurance_rules_palette	11.1.0	11.1.0.x
oracle / insurance_rules_palette	11.2.0	11.2.0.x
oracle / insurance_policy_administration_j2ee	10.2.4	10.2.4.x
oracle / insurance_policy_administration_j2ee	11.1.0	11.1.0.x
oracle / insurance_policy_administration_j2ee	11.2.0	11.2.0.x
oracle / healthcare_master_person_index	4.0.2	4.0.2.x
oracle / retail_predictive_application_server	14.1.3	14.1.3.x
oracle / retail_advanced_inventory_planning	15.0	15.0.x
oracle / communications_brm_-_elastic_charging_engine	12.0	12.0.x
oracle / communications_brm_-_elastic_charging_engine	11.3	11.3.x
oracle / retail_predictive_application_server	16.0.3	16.0.3.x
oracle / retail_markdown_optimization	13.4.4	13.4.4.x
oracle / retail_predictive_application_server	14.1.3.37	14.1.3.37.x
oracle / retail_predictive_application_server	14.0.3.26	14.0.3.26.x
oracle / retail_predictive_application_server	15.0.3.100	15.0.3.100.x
oracle / retail_service_backbone	16.0.1	16.0.1.x
oracle / communications_converged_application_server_-_service_controller	6.0	6.0.x
oracle / insurance_policy_administration_j2ee	10.1	10.1.x
oracle / insurance_policy_administration_j2ee	11.0	11.0.x
oracle / insurance_calculation_engine	9.7	9.7.x
oracle / insurance_calculation_engine	10.0	10.0.x
oracle / insurance_calculation_engine	10.1	10.1.x
oracle / primavera_analytics	18.8	18.8.x
debian / debian_linux	9.0	9.0.x
org.springframework / spring-core	5.1	5.1.1
org.springframework / spring-core	5.0	5.0.10
org.springframework / spring-core	-	4.3.20

Vulnerability Database

289,599

CVE-2018-15756