CVE-2018-11040 - Cross-Origin Resource Sharing (CORS)
Severity: Low2022-10-13
Abstract
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v4.1.6 and older | High | Oxygen Feedback 2.1 build 2022071516 |
Detail
CVE-2018-11040
Severity: High
CVSS Score: 7.5
The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-11040 vulnerability description. However, Oxygen Feedback does not use MappingJackson2JsonView nor enable JSONP support through AbstractJsonpResponseBodyAdvice. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Feedback v2.1 build 2022071516 Spring Framework library was updated to a non-vulnerable version.