CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2018-1270

CVSS 9.8v3.1pub. 2018-04-06upd. 2024-11-21

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian

    OS
    Debian
    9.0
  • Oracle Application Testing Suite

    APP
    Oracle
    12.5.0.313.1.0.113.2.0.113.3.0.1
  • Oracle Big Data Discovery

    APP
    Oracle
    1.6.0
  • Oracle Communications Converged Application Server

    APP
    Oracle
    < 7.0.0.1
  • Oracle Communications Diameter Signaling Router

    APP
    Oracle
    < 8.3
  • Oracle Communications Performance Intelligence Center

    APP
    Oracle
    < 10.2.1
  • Oracle Communications Services Gatekeeper

    APP
    Oracle
    < 6.1.0.4.0
  • Oracle Enterprise Manager Ops Center

    APP
    Oracle
    12.2.212.3.3
  • Oracle Goldengate For Big Data

    APP
    Oracle
    12.2.0.112.3.1.112.3.2.1
  • Oracle Healthcare Master Person Index

    APP
    Oracle
    3.04.0
  • Oracle Health Sciences Information Manager

    APP
    Oracle
    3.0
  • Oracle Insurance Calculation Engine

    APP
    Oracle
    10.1.110.210.2.1
  • Oracle Insurance Rules Palette

    APP
    Oracle
    10.010.110.211.011.1
  • Oracle Primavera Gateway

    APP
    Oracle
    15.216.217.12
  • Oracle Retail Back Office

    APP
    Oracle
    14.014.1
  • Oracle Retail Central Office

    APP
    Oracle
    14.014.1
  • Oracle Retail Customer Insights

    APP
    Oracle
    15.016.0
  • Oracle Retail Integration Bus

    APP
    Oracle
    14.0.114.0.214.0.314.0.414.1.114.1.214.1.315.0.0.115.0.115.0.216.016.0.116.0.2
  • Oracle Retail Open Commerce Platform

    APP
    Oracle
    5.3.06.0.06.0.1
  • Oracle Retail Order Broker

    APP
    Oracle
    15.016.05.15.2
  • Oracle Retail Point Of Sale

    APP
    Oracle
    14.014.1
  • Oracle Retail Predictive Application Server

    APP
    Oracle
    14.014.115.016.0
  • Oracle Retail Returns Management

    APP
    Oracle
    14.014.1
  • Oracle Retail Xstore Point Of Service

    APP
    Oracle
    7.1
  • Oracle Service Architecture Leveraging Tuxedo

    APP
    Oracle
    12.1.3.0.012.2.2.0.0
  • Oracle Tape Library Acsls

    APP
    Oracle
    8.4
  • Red Hat Fuse

    APP
    Redhat
    1.0.0
  • VMware Spring Framework

    APP
    Vmware
    5.0.0 – 5.0.5 (bez)< 4.3.16
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki