CVE-2018-15756 (CNNVD-201810-1051)

HIGH
中文标题:
Pivotal Software Spring Framework 资源管理错误漏洞
英文标题:
DoS Attack via Range Requests
CVSS分数: 7.5
发布时间: 2018-10-18 22:00:00
漏洞类型: 资源管理错误
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Vmware Spring Framework是美国威睿(Vmware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework中存在资源管理错误漏洞。该漏洞源于网络系统或产品对系统资源(如内存、磁盘空间、文件等)的管理不当。以下版本受到影响:Pivotal Spring Framework 5.1版本,5.0.10之前的5.0.x版本,4.3.20之前的4.3.x版本,4.2.x版本。

英文描述:

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

CWE类型:
(暂无数据)
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
Pivotal Spring framework 5.1 - - cpe:2.3:a:pivotal:spring_framework:5.1:*:*:*:*:*:*:*
vmware spring_framework * - - cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
vmware spring_framework 5.1.0 - - cpe:2.3:a:vmware:spring_framework:5.1.0:*:*:*:*:*:*:*
oracle agile_plm 9.3.3 - - cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
oracle agile_plm 9.3.4 - - cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*
oracle agile_plm 9.3.5 - - cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
oracle agile_plm 9.3.6 - - cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
oracle communications_brm_-_elastic_charging_engine 11.3 - - cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
oracle communications_brm_-_elastic_charging_engine 12.0 - - cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
oracle communications_converged_application_server_-_service_controller 6.0 - - cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.0:*:*:*:*:*:*:*
oracle communications_converged_application_server_-_service_controller 6.1 - - cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.1:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.0.0 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.1 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.2 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.2.1 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
oracle communications_element_manager 8.1.1 - - cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
oracle communications_element_manager 8.2.0 - - cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
oracle communications_element_manager 8.2.1 - - cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
oracle communications_online_mediation_controller 6.1 - - cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*
oracle communications_session_report_manager 8.0.0 - - cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*
oracle communications_session_report_manager 8.1.0 - - cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*
oracle communications_session_report_manager 8.1.1 - - cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
oracle communications_session_report_manager 8.2.0 - - cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
oracle communications_session_report_manager 8.2.1 - - cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
oracle communications_session_route_manager 8.0.0 - - cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*
oracle communications_session_route_manager 8.1.0 - - cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*
oracle communications_session_route_manager 8.1.1 - - cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
oracle communications_session_route_manager 8.2.0 - - cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
oracle communications_session_route_manager 8.2.1 - - cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.3 - - cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
oracle communications_unified_inventory_management 7.4.0 - - cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
oracle endeca_information_discovery_integrator 3.2.0 - - cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
oracle enterprise_manager_for_fusion_applications 13.3.0.0 - - cpe:2.3:a:oracle:enterprise_manager_for_fusion_applications:13.3.0.0:*:*:*:*:*:*:*
oracle enterprise_manager_ops_center 12.3.3 - - cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure * - - cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle flexcube_private_banking 12.0.1 - - cpe:2.3:a:oracle:flexcube_private_banking:12.0.1:*:*:*:*:*:*:*
oracle flexcube_private_banking 12.0.3 - - cpe:2.3:a:oracle:flexcube_private_banking:12.0.3:*:*:*:*:*:*:*
oracle flexcube_private_banking 12.1.0 - - cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
oracle goldengate_application_adapters 12.3.2.1.0 - - cpe:2.3:a:oracle:goldengate_application_adapters:12.3.2.1.0:*:*:*:*:*:*:*
oracle healthcare_master_person_index 3.0 - - cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
oracle healthcare_master_person_index 4.0.2 - - cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2:*:*:*:*:*:*:*
oracle identity_manager_connector 9.0 - - cpe:2.3:a:oracle:identity_manager_connector:9.0:*:*:*:*:*:*:*
oracle insurance_calculation_engine 9.7 - - cpe:2.3:a:oracle:insurance_calculation_engine:9.7:*:*:*:*:*:*:*
oracle insurance_calculation_engine 10.0 - - cpe:2.3:a:oracle:insurance_calculation_engine:10.0:*:*:*:*:*:*:*
oracle insurance_calculation_engine 10.1 - - cpe:2.3:a:oracle:insurance_calculation_engine:10.1:*:*:*:*:*:*:*
oracle insurance_calculation_engine 10.2 - - cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 10.0 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.0:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 10.1 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.1:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 10.2 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 10.2.0 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 10.2.4 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 11.0 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 11.1.0 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0:*:*:*:*:*:*:*
oracle insurance_policy_administration_j2ee 11.2.0 - - cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.0 - - cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.1 - - cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.2 - - cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.2.0 - - cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 10.2.4 - - cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.0 - - cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.0.2 - - cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.1.0 - - cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*
oracle insurance_rules_palette 11.2.0 - - cpe:2.3:a:oracle:insurance_rules_palette:11.2.0:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor * - - cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle primavera_analytics 18.8 - - cpe:2.3:a:oracle:primavera_analytics:18.8:*:*:*:*:*:*:*
oracle primavera_gateway 15.2 - - cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
oracle primavera_gateway 16.2 - - cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
oracle primavera_gateway 17.12 - - cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
oracle primavera_gateway 18.8.0 - - cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
oracle rapid_planning 12.1 - - cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
oracle rapid_planning 12.2 - - cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
oracle retail_advanced_inventory_planning 15.0 - - cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
oracle retail_assortment_planning 15.0 - - cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*
oracle retail_assortment_planning 16.0 - - cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*
oracle retail_clearance_optimization_engine 14.0.5 - - cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*
oracle retail_financial_integration 14.0 - - cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*
oracle retail_financial_integration 14.1 - - cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*
oracle retail_financial_integration 15.0 - - cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*
oracle retail_financial_integration 16.0 - - cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*
oracle retail_integration_bus 15.0 - - cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
oracle retail_integration_bus 15.0.3 - - cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
oracle retail_integration_bus 16.0 - - cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
oracle retail_integration_bus 16.0.3 - - cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
oracle retail_invoice_matching 12.0 - - cpe:2.3:a:oracle:retail_invoice_matching:12.0:*:*:*:*:*:*:*
oracle retail_invoice_matching 13.0 - - cpe:2.3:a:oracle:retail_invoice_matching:13.0:*:*:*:*:*:*:*
oracle retail_invoice_matching 13.1 - - cpe:2.3:a:oracle:retail_invoice_matching:13.1:*:*:*:*:*:*:*
oracle retail_invoice_matching 13.2 - - cpe:2.3:a:oracle:retail_invoice_matching:13.2:*:*:*:*:*:*:*
oracle retail_invoice_matching 14.0 - - cpe:2.3:a:oracle:retail_invoice_matching:14.0:*:*:*:*:*:*:*
oracle retail_invoice_matching 14.1 - - cpe:2.3:a:oracle:retail_invoice_matching:14.1:*:*:*:*:*:*:*
oracle retail_markdown_optimization 13.4.4 - - cpe:2.3:a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*
oracle retail_order_broker 5.1 - - cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
oracle retail_order_broker 5.2 - - cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
oracle retail_order_broker 15.0 - - cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
oracle retail_order_broker 16.0 - - cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
oracle retail_predictive_application_server 14.0.3 - - cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3:*:*:*:*:*:*:*
oracle retail_predictive_application_server 14.0.3.26 - - cpe:2.3:a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*
oracle retail_predictive_application_server 14.1.3 - - cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
oracle retail_predictive_application_server 14.1.3.37 - - cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*
oracle retail_predictive_application_server 15.0.3 - - cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
oracle retail_predictive_application_server 15.0.3.100 - - cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.100:*:*:*:*:*:*:*
oracle retail_predictive_application_server 16.0 - - cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*
oracle retail_predictive_application_server 16.0.3 - - cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*
oracle retail_service_backbone 15.0 - - cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
oracle retail_service_backbone 16.0 - - cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*
oracle retail_service_backbone 16.0.1 - - cpe:2.3:a:oracle:retail_service_backbone:16.0.1:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 7.1 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
oracle tape_library_acsls 8.5 - - cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
oracle webcenter_sites 12.2.1.3.0 - - cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
oracle weblogic_server 10.3.6.0.0 - - cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
oracle weblogic_server 12.1.3.0.0 - - cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.3.0 - - cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.4.0 - - cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
debian debian_linux 9.0 - - cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
105703 vdb-entry
cve.org
访问
[activemq-issues] 20190529 [jira] [Created] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190529 [jira] [Commented] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190529 [jira] [Updated] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190626 [jira] [Assigned] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190626 [jira] [Work logged] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190716 [jira] [Commented] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190826 [jira] [Reopened] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190826 [jira] [Closed] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
[activemq-issues] 20190826 [jira] [Updated] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.0 (cna)
HIGH
7.5
CVSS向量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
机密性
NONE
完整性
NONE
可用性
HIGH
时间信息
发布时间:
2018-10-18 22:00:00
修改时间:
2024-09-16 16:59:11
创建时间:
2025-11-11 15:35:07
更新时间:
2025-11-11 15:53:58
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2018-15756 2025-11-11 15:19:42 2025-11-11 07:35:07
NVD nvd_CVE-2018-15756 2025-11-11 14:55:59 2025-11-11 07:43:42
CNNVD cnnvd_CNNVD-201810-1051 2025-11-11 15:10:06 2025-11-11 07:53:58
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:53:58
vulnerability_type: 未提取 → 资源管理错误; cnnvd_id: 未提取 → CNNVD-201810-1051; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 资源管理错误
  • cnnvd_id: 未提取 -> CNNVD-201810-1051
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:43:42
affected_products_count: 1 → 113; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 1 -> 113
  • data_sources: ['cve'] -> ['cve', 'nvd']