高危 Spring Framework及Spring Security 未授权访问漏洞(CVE-2018-1258)
CVE编号
CVE-2018-1258利用情况
暂无补丁情况
官方补丁披露时间
2018-05-12漏洞描述
Pivotal Spring Security和Spring Framework都是美国Pivotal Software公司的产品。Pivotal Spring Security是一套为基于Spring的应用程序提供说明性安全保护的安全框架。Spring Framework是一套开源的Java、Java EE应用程序框架。 Pivotal Spring Security和Spring Framework 5.0.6之前版本中存在安全漏洞。Spring Framework 5.0.5 与任何版本的 Spring Security 结合使用时,在使用方法安全性时包含授权绕过问题,未经授权的恶意用户可以获得对应受限制的访问。解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://pivotal.io/security/cve-2018-1258受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_insight | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_unified_manager | * | From (including) 7.3 | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_unified_manager | * | From (including) 9.4 | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_workflow_automation | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | snapcenter | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | storage_automation_store | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | agile_plm | 9.3.3 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | agile_plm | 9.3.4 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | agile_plm | 9.3.5 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | agile_plm | 9.3.6 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | application_testing_suite | 10.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | application_testing_suite | 12.5.0.3 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | application_testing_suite | 13.1.0.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | application_testing_suite | 13.2.0.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | application_testing_suite | 13.3.0.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | big_data_discovery | 1.6.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | communications_converged_application_server | * | Up to (excluding) 7.0.0.1 | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | communications_diameter_signaling_router | * | Up to (excluding) 8.3 | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | communications_performance_intelligence_center | * | Up to (excluding) 10.2.1 | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | communications_services_gatekeeper | * | Up to (excluding) 6.1.0.4.0 | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | endeca_information_discovery_integrator | 3.1.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | endeca_information_discovery_integrator | 3.2.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | enterprise_manager_for_mysql_database | 13.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | enterprise_manager_ops_center | 12.2.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | enterprise_manager_ops_center | 12.3.3 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | enterprise_repository | 11.1.1.7.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | enterprise_repository | 12.1.3.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | goldengate_for_big_data | 12.2.0.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | goldengate_for_big_data | 12.3.1.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | goldengate_for_big_data | 12.3.2.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | healthcare_master_person_index | 3.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | healthcare_master_person_index | 4.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | health_sciences_information_manager | 3.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | hospitality_guest_access | 4.2.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | hospitality_guest_access | 4.2.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_calculation_engine | 10.1.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_calculation_engine | 10.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_calculation_engine | 10.2.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_policy_administration | 10.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_policy_administration | 10.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_policy_administration | 10.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_policy_administration | 11.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_rules_palette | 10.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_rules_palette | 10.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_rules_palette | 10.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_rules_palette | 11.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | insurance_rules_palette | 11.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | micros_lucas | 2.9.5 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | mysql_enterprise_monitor | * | Up to (including) 8.0.2.8191 | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | peoplesoft_enterprise_fin_install | 9.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_assortment_planning | 14.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_assortment_planning | 15.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_assortment_planning | 16.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_back_office | 14.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_back_office | 14.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_central_office | 14.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_central_office | 14.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_customer_insights | 15.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_customer_insights | 16.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_financial_integration | 13.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_financial_integration | 14.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_financial_integration | 14.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_financial_integration | 15.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_financial_integration | 16.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_integration_bus | 14.1.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_point-of-service | 14.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_point-of-service | 14.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_returns_management | 14.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | retail_returns_management | 14.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | service_architecture_leveraging_tuxedo | 12.1.3.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | service_architecture_leveraging_tuxedo | 12.2.2.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | tape_library_acsls | 8.4 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | weblogic_server | 10.3.6.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | weblogic_server | 12.1.3.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | weblogic_server | 12.2.1.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | weblogic_server | 12.2.1.3 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.10 | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.11 | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.12 | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.13 | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.8 | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.9 | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_edge | phpmyadmin | * | Up to (excluding) 4.8.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_8 | phpmyadmin | * | Up to (excluding) 1:1.9.7-5+deb8u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | phpmyadmin | * | Up to (excluding) 1.11.0~beta1-3+deb9u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_28 | phpmyadmin | * | Up to (excluding) 4.8.2-1.fc28 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.0 | phpmyadmin | * | Up to (excluding) 4.8.2-lp150.2.3.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_42.3 | phpmyadmin | * | Up to (excluding) 4.8.2-15.1 | |||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 普通权限
- 影响范围 全局影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 无影响
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-863 | 授权机制不正确 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论