High security vulnerability has been found in the Pivotal Spring Framework

Description

Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, as well as older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. [CVE-2018-1275]

https://pivotal.io/security/cve-2018-1275

Vendor Affected Components:
Spring Framework 5.0 ≤ 5.0.4
Spring Framework 4.3 ≤ 4.3.15
Older unsupported versions are also affected.

Environment

None

Status

Assignee

Unassigned

Reporter

Lukas Kosowski

Triage

None

Fix versions

None

Affects versions

Components

Priority

High
Configure