Spring-boot: 1.5.19 critical vulnerabilities CVE-2018-1270

Created on 4 Apr 2019 · 1Comment · Source: spring-projects/spring-boot

Using version 1.5.19 i get the following higth risk vulnerability in 3 libraries:

org.springframework.retry:spring-retry - 1.2.4.RELEASE
org.springframework.ws:spring-ws-core - 2.4.4.RELEASE
org.springframework.ws:spring-xml - 3.0.7.RELEASE

CVE-2018-1270
"Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack."

invalid

Source

EstefaniaGilVaquero

👍1

Most helpful comment

Those warnings are all false positives. Spring Boot 1.5.19 uses Spring Framework 4.3.22. Only 4.3.14 and earlier versions are vulnerable.

wilkinsona on 4 Apr 2019

👍3

>All comments

Those warnings are all false positives. Spring Boot 1.5.19 uses Spring Framework 4.3.22. Only 4.3.14 and earlier versions are vulnerable.

wilkinsona on 4 Apr 2019

👍3

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Rework Gradle plugin's repackaging support to be more idiomatic

wilkinsona · 3Comments

Java 9 Spring Boot application build throws RuntimeException using Maven

techpavan · 3Comments

spring-boot-maven-plugin exclude doesn't filter sub-dependency

zhanhb · 3Comments

Document how to use BOOT-INF in spring-boot executable jar as a library jar with Gradle

binarylegit · 3Comments

OAuth2AutoConfiguration uses OAuth2MethodSecurityExpressionHandler without a BeanResolver set

rwinch · 3Comments