[prev in list] [next in list] [prev in thread] [next in thread]
List: scout-dev
Subject: [jira] [Reopened] (JUDDI-1003) spring-web jar supplied with latest JUDDI distribution has security v
From: "Amol Bhonsle (Jira)" <juddi-dev () ws ! apache ! org>
Date: 2020-02-26 5:15:00
Message-ID: JIRA.13279595.1579095658000.10528.1582694100246 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/JUDDI-1003?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Amol Bhonsle reopened JUDDI-1003:
---------------------------------
spring-web-5.2.3.RELEASE has the same issue. However, if you upgrade to \
spring-web-5.2.4.RELEASE, it is free from vulnerability. This has been released \
yesterday only. Please explore this option.
> spring-web jar supplied with latest JUDDI distribution has security vulnerability
> ---------------------------------------------------------------------------------
>
> Key: JUDDI-1003
> URL: https://issues.apache.org/jira/browse/JUDDI-1003
> Project: jUDDI
> Issue Type: Bug
> Components: juddi-tomcat
> Affects Versions: 3.3.6, 3.3.7
> Reporter: Amol Bhonsle
> Assignee: Alex O'Ree
> Priority: Major
> Fix For: 3.3.8
>
>
> The jar for spring-web (JUDDI 3.3.7 comes with spring-web-3.2.18.RELEASE) which is \
> provided in distribution has following Security Vulnerability.
> The {{org.springframework:spring-web}} package is vulnerable to deserialization \
> of untrusted data leading to Remote Code Execution (RCE). The \
> {{readRemoteInvocation}} method in {{HttpInvokerServiceExporter.class}} does not \
> properly verify or restrict untrusted objects prior to deserializing them. An \
> attacker can exploit this vulnerability by sending malicious requests containing \
> crafted objects, which when deserialized, execute arbitrary code on the vulnerable \
> system.
> The {{spring-core}} and {{spring-web}} modules of Spring Framework are \
> vulnerable to a multipart content pollution vulnerability. The \
> {{generateMultipartBoundary()}} method in the {{MimeTypeUtils}} class uses a \
> predictable method of generating random values to use as boundary values for \
> multipart requests to other servers. This means that an attacker may be able to \
> predict the boundary values and inject them into requests at unexpected locations, \
> causing the recipient server to incorrectly interpret the multipart request. This \
> will result in unexpected behavior depending on the requests being processed, \
> including privilege escalation if authorization data is sent in the multipart \
> request. Note:
> {quote}In order for the attacker to succeed, they would have to be able to guess \
> the multipart boundary value chosen by server A for the multipart request to server \
> B, which requires the attacker to also have control of the server or the ability to \
> see the HTTP log of server A through a separate attack vector. {quote}
>
> Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks. The \
> {{HiddenHttpMethodFilter}} class lets an attacker change the HTTP request method \
> to {{TRACE}}. An attacker can exploit this behavior with an Cross-Site Scripting \
> (XSS) attack by sending a TRACE request and recovering information that would not \
> normally be accessible, such as Cookies with the HTTPOnly flag.
> Please check and provide fix for this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic