[Bug 1564405] New: CVE-2018-1270 spring-framework: Possible RCE via spring messaging
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1564405
Bug ID: 1564405
Summary: CVE-2018-1270 spring-framework: Possible RCE via
spring messaging
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: urgent
Priority: urgent
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
anstephe(a)redhat.com, apevec(a)redhat.com,
apintea(a)redhat.com, bkundal(a)redhat.com,
bmaxwell(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, chrisw(a)redhat.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dchen(a)redhat.com, dffrench(a)redhat.com,
dimitris(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, drusso(a)redhat.com,
etirelli(a)redhat.com, fgavrilo(a)redhat.com,
gvarsami(a)redhat.com, gzaronik(a)redhat.com,
hghasemb(a)redhat.com, ibek(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jclere(a)redhat.com,
jcoleman(a)redhat.com, jjoyce(a)redhat.com,
jmadigan(a)redhat.com, jolee(a)redhat.com,
jondruse(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
kconner(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lgriffin(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, lpetrovi(a)redhat.com,
markmc(a)redhat.com, mbabacek(a)redhat.com,
mburns(a)redhat.com, mkolesni(a)redhat.com,
myarboro(a)redhat.com, ngough(a)redhat.com,
nwallace(a)redhat.com, nyechiel(a)redhat.com,
paradhya(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pjurak(a)redhat.com,
ppalaga(a)redhat.com, psakar(a)redhat.com,
pslavice(a)redhat.com, psotirop(a)redhat.com,
pszubiak(a)redhat.com, puntogil(a)libero.it,
pwright(a)redhat.com, rbryant(a)redhat.com,
rnetuka(a)redhat.com, rrajasek(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com, sclewis(a)redhat.com,
sdaley(a)redhat.com, sisharma(a)redhat.com,
slinaber(a)redhat.com, smohan(a)redhat.com,
ssaha(a)redhat.com, sstavrev(a)redhat.com,
tcunning(a)redhat.com, tdecacqu(a)redhat.com,
tjay(a)redhat.com, tkirby(a)redhat.com, trepel(a)redhat.com,
twalsh(a)redhat.com, vbellur(a)redhat.com,
vhalbert(a)redhat.com, vtunka(a)redhat.com,
weli(a)redhat.com
Spring Framework allows applications to expose STOMP over WebSocket endpoints
with a simple, in-memory STOMP broker through the spring-messaging module. A
malicious user (or attacker) can craft a message to the broker that can lead to
a remote code execution attack.
External References:
https://pivotal.io/security/cve-2018-1270
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 7 months