Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-2327-21sr-mfgx

Summary

Improper Privilege Management
When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Aliases

alias	CVE-2018-1272

alias	GHSA-4487-x383-qpph

Fixed_packages

url	pkg:maven/org.springframework/spring-core@4.3.15
purl	pkg:maven/org.springframework/spring-core@4.3.15
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@4.3.15

url	pkg:maven/org.springframework/spring-core@5.0.5
purl	pkg:maven/org.springframework/spring-core@5.0.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@5.0.5

url	pkg:maven/org.springframework/spring-webflux@5.0.5.RELEASE
purl	pkg:maven/org.springframework/spring-webflux@5.0.5.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webflux@5.0.5.RELEASE

url	pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE
purl	pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE

Affected_packages

url pkg:maven/org.springframework/spring-core@5.0.0

purl pkg:maven/org.springframework/spring-core@5.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-3p1k-4ges-1fev

vulnerability	VCID-72ga-q9u7-sfav

vulnerability	VCID-h4kj-zdr8-wbdr

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-core@5.0.0

url pkg:maven/org.springframework/spring-webflux@4.2.9.RELEASE

purl pkg:maven/org.springframework/spring-webflux@4.2.9.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-dakn-kfyh-syab

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webflux@4.2.9.RELEASE

url pkg:maven/org.springframework/spring-webflux@4.3.0.RELEASE

purl pkg:maven/org.springframework/spring-webflux@4.3.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-dakn-kfyh-syab

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webflux@4.3.0.RELEASE

url pkg:maven/org.springframework/spring-webflux@5.0.RELEASE

purl pkg:maven/org.springframework/spring-webflux@5.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webflux@5.0.RELEASE

url pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE

purl pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-dakn-kfyh-syab

vulnerability	VCID-envb-buqd-r3dt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE

url pkg:maven/org.springframework/spring-webmvc@4.3.0.RELEASE

purl pkg:maven/org.springframework/spring-webmvc@4.3.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-dakn-kfyh-syab

vulnerability	VCID-envb-buqd-r3dt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.0.RELEASE

url pkg:maven/org.springframework/spring-webmvc@5.0.RELEASE

purl pkg:maven/org.springframework/spring-webmvc@5.0.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2327-21sr-mfgx

vulnerability	VCID-envb-buqd-r3dt

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.RELEASE

References

reference_url	https://access.redhat.com/errata/RHSA-2018:1320
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2018:1320

reference_url	https://access.redhat.com/errata/RHSA-2018:2669
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2018:2669

reference_url	https://exchange.xforce.ibmcloud.com/vulnerabilities/141286
reference_id
reference_type
scores
url	https://exchange.xforce.ibmcloud.com/vulnerabilities/141286

reference_url	https://www.oracle.com/security-alerts/cpujul2020.html
reference_id
reference_type
scores
url	https://www.oracle.com/security-alerts/cpujul2020.html

reference_url	https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
url	https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
reference_id
reference_type
scores
url	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

reference_url	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
reference_id
reference_type
scores
url	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

reference_url	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

reference_url	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

reference_url	http://www.securityfocus.com/bid/103697
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/103697

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-1272
reference_id	CVE-2018-1272
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-1272

reference_url	https://pivotal.io/security/cve-2018-1272
reference_id	CVE-2018-1272
reference_type
scores
url	https://pivotal.io/security/cve-2018-1272

reference_url	https://github.com/advisories/GHSA-4487-x383-qpph
reference_id	GHSA-4487-x383-qpph
reference_type
scores
url	https://github.com/advisories/GHSA-4487-x383-qpph

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2327-21sr-mfgx

Vulnerability Instance