Moderate severityNVD Advisory· Published Jun 25, 2018· Updated Sep 16, 2024
CVE-2018-11039
CVE-2018-11039
Description
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework's HiddenHttpMethodFilter allows arbitrary HTTP methods, enabling XST attacks when combined with XSS.
Vulnerability
Spring Framework versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 allow web applications to change the HTTP request method to any method, including TRACE, via the HiddenHttpMethodFilter in Spring MVC [1]. This filter reads a _method parameter from POST requests and overrides the original HTTP method. By default, it does not restrict which methods can be set, allowing attackers to specify arbitrary methods such as TRACE.
Exploitation
An attacker must first exploit a pre-existing cross-site scripting (XSS) vulnerability in the application [1]. Then, using XSS, the attacker can craft a request that includes a _method parameter set to TRACE. If the application server's web server (e.g., Tomcat) has TRACE enabled, the server will respond with the original request in the response body, potentially exposing sensitive headers like cookies.
Impact
Successful exploitation allows the attacker to read the HTTP request headers of a victim's request, including authentication cookies or authorization tokens, through a cross-site tracing (XST) attack [1]. This can lead to session hijacking and unauthorized access to the application with the victim's privileges.
Mitigation
Spring Framework released fixed versions 5.0.7 and 4.3.18 that restrict allowed HTTP methods in HiddenHttpMethodFilter to DELETE, PUT, and PATCH [2]. Users should upgrade to these versions or later. If upgrading is not immediately possible, administrators can disable the filter or configure it to only allow safe methods. The vulnerability is not listed on CISA's KEV.
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-webMaven | >= 5.0.0, < 5.0.7 | 5.0.7 |
org.springframework:spring-webMaven | >= 4.3.0, < 4.3.18 | 4.3.18 |
Affected products
2- Pivotal/Spring Frameworkv5Range: 5.0.x
Patches
5dac97f1b7dacRestrict HTTP methods on Reactive HiddenHttpMethodFilter
2 files changed · +21 −3
spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java+14 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.web.filter.reactive; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import reactor.core.publisher.Mono; @@ -45,6 +48,10 @@ */ public class HiddenHttpMethodFilter implements WebFilter { + private static final List<HttpMethod> ALLOWED_METHODS = + Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT, + HttpMethod.DELETE, HttpMethod.PATCH)); + /** Default name of the form parameter with the HTTP method to use */ public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method"; @@ -87,7 +94,12 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) { HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH)); Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported"); - return exchange.mutate().request(builder -> builder.method(httpMethod)).build(); + if (ALLOWED_METHODS.contains(httpMethod)) { + return exchange.mutate().request(builder -> builder.method(httpMethod)).build(); + } + else { + return exchange; + } } }
spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java+7 −1 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,6 +52,12 @@ public void filterWithParameter() { assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod()); } + @Test + public void filterWithParameterMethodNotAllowed() { + postForm("_method=TRACE").block(Duration.ZERO); + assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod()); + } + @Test public void filterWithNoParameter() { postForm("").block(Duration.ZERO);
a5cd01a4c857Restrict HTTP methods on Reactive HiddenHttpMethodFilter
2 files changed · +21 −3
spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java+14 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.web.filter.reactive; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import reactor.core.publisher.Mono; @@ -45,6 +48,10 @@ */ public class HiddenHttpMethodFilter implements WebFilter { + private static final List<HttpMethod> ALLOWED_METHODS = + Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT, + HttpMethod.DELETE, HttpMethod.PATCH)); + /** Default name of the form parameter with the HTTP method to use */ public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method"; @@ -87,7 +94,12 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) { HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH)); Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported"); - return exchange.mutate().request(builder -> builder.method(httpMethod)).build(); + if (ALLOWED_METHODS.contains(httpMethod)) { + return exchange.mutate().request(builder -> builder.method(httpMethod)).build(); + } + else { + return exchange; + } } }
spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java+7 −1 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,6 +52,12 @@ public void filterWithParameter() { assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod()); } + @Test + public void filterWithParameterMethodNotAllowed() { + postForm("_method=TRACE").block(Duration.ZERO); + assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod()); + } + @Test public void filterWithNoParameter() { postForm("").block(Duration.ZERO);
f2694a8ed93fRestrict HTTP methods on Servlet HiddenHttpMethodFilter
2 files changed · +38 −19
spring-web/src/main/java/org/springframework/web/filter/HiddenHttpMethodFilter.java+15 −3 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,13 +17,17 @@ package org.springframework.web.filter; import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; +import org.springframework.http.HttpMethod; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import org.springframework.web.util.WebUtils; @@ -35,6 +39,7 @@ * is to use a normal POST with an additional hidden form field ({@code _method}) * to pass the "real" HTTP method along. This filter reads that parameter and changes * the {@link HttpServletRequestWrapper#getMethod()} return value accordingly. + * Only {@code "PUT"}, {@code "DELETE"} and {@code "PATCH"} HTTP methods are allowed. * * <p>The name of the request parameter defaults to {@code _method}, but can be * adapted via the {@link #setMethodParam(String) methodParam} property. @@ -50,6 +55,10 @@ */ public class HiddenHttpMethodFilter extends OncePerRequestFilter { + private static final List<String> ALLOWED_METHODS = + Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT.name(), + HttpMethod.DELETE.name(), HttpMethod.PATCH.name())); + /** Default method parameter: {@code _method} */ public static final String DEFAULT_METHOD_PARAM = "_method"; @@ -74,7 +83,10 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse if ("POST".equals(request.getMethod()) && request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) == null) { String paramValue = request.getParameter(this.methodParam); if (StringUtils.hasLength(paramValue)) { - requestToUse = new HttpMethodRequestWrapper(request, paramValue); + String method = paramValue.toUpperCase(Locale.ENGLISH); + if (ALLOWED_METHODS.contains(method)) { + requestToUse = new HttpMethodRequestWrapper(request, method); + } } } @@ -92,7 +104,7 @@ private static class HttpMethodRequestWrapper extends HttpServletRequestWrapper public HttpMethodRequestWrapper(HttpServletRequest request, String method) { super(request); - this.method = method.toUpperCase(Locale.ENGLISH); + this.method = method; } @Override
spring-web/src/test/java/org/springframework/web/filter/HiddenHttpMethodFilterTests.java+23 −16 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,45 +31,52 @@ import static org.junit.Assert.*; /** + * Tests for {@link HiddenHttpMethodFilter}. + * * @author Arjen Poutsma + * @author Brian Clozel */ public class HiddenHttpMethodFilterTests { private final HiddenHttpMethodFilter filter = new HiddenHttpMethodFilter(); @Test public void filterWithParameter() throws IOException, ServletException { - MockHttpServletRequest request = new MockHttpServletRequest("POST", "/hotels"); - request.addParameter("_method", "delete"); - MockHttpServletResponse response = new MockHttpServletResponse(); - - FilterChain filterChain = new FilterChain() { + filterWithParameterForMethod("delete", "DELETE"); + filterWithParameterForMethod("put", "PUT"); + filterWithParameterForMethod("patch", "PATCH"); + } - @Override - public void doFilter(ServletRequest filterRequest, - ServletResponse filterResponse) throws IOException, ServletException { - assertEquals("Invalid method", "DELETE", - ((HttpServletRequest) filterRequest).getMethod()); - } - }; - filter.doFilter(request, response, filterChain); + @Test + public void filterWithParameterDisallowedMethods() throws IOException, ServletException { + filterWithParameterForMethod("trace", "POST"); + filterWithParameterForMethod("head", "POST"); + filterWithParameterForMethod("options", "POST"); } @Test public void filterWithNoParameter() throws IOException, ServletException { + filterWithParameterForMethod(null, "POST"); + } + + private void filterWithParameterForMethod(String methodParam, String expectedMethod) + throws IOException, ServletException { MockHttpServletRequest request = new MockHttpServletRequest("POST", "/hotels"); + if(methodParam != null) { + request.addParameter("_method", methodParam); + } MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = new FilterChain() { @Override public void doFilter(ServletRequest filterRequest, ServletResponse filterResponse) throws IOException, ServletException { - assertEquals("Invalid method", "POST", + assertEquals("Invalid method", expectedMethod, ((HttpServletRequest) filterRequest).getMethod()); } }; - filter.doFilter(request, response, filterChain); + this.filter.doFilter(request, response, filterChain); } } \ No newline at end of file
f64fa3dea10aRestrict HTTP methods on Servlet HiddenHttpMethodFilter
2 files changed · +38 −19
spring-web/src/main/java/org/springframework/web/filter/HiddenHttpMethodFilter.java+15 −3 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,13 +17,17 @@ package org.springframework.web.filter; import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; +import org.springframework.http.HttpMethod; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import org.springframework.web.util.WebUtils; @@ -35,6 +39,7 @@ * is to use a normal POST with an additional hidden form field ({@code _method}) * to pass the "real" HTTP method along. This filter reads that parameter and changes * the {@link HttpServletRequestWrapper#getMethod()} return value accordingly. + * Only {@code "PUT"}, {@code "DELETE"} and {@code "PATCH"} HTTP methods are allowed. * * <p>The name of the request parameter defaults to {@code _method}, but can be * adapted via the {@link #setMethodParam(String) methodParam} property. @@ -50,6 +55,10 @@ */ public class HiddenHttpMethodFilter extends OncePerRequestFilter { + private static final List<String> ALLOWED_METHODS = + Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT.name(), + HttpMethod.DELETE.name(), HttpMethod.PATCH.name())); + /** Default method parameter: {@code _method} */ public static final String DEFAULT_METHOD_PARAM = "_method"; @@ -74,7 +83,10 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse if ("POST".equals(request.getMethod()) && request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) == null) { String paramValue = request.getParameter(this.methodParam); if (StringUtils.hasLength(paramValue)) { - requestToUse = new HttpMethodRequestWrapper(request, paramValue); + String method = paramValue.toUpperCase(Locale.ENGLISH); + if (ALLOWED_METHODS.contains(method)) { + requestToUse = new HttpMethodRequestWrapper(request, method); + } } } @@ -92,7 +104,7 @@ private static class HttpMethodRequestWrapper extends HttpServletRequestWrapper public HttpMethodRequestWrapper(HttpServletRequest request, String method) { super(request); - this.method = method.toUpperCase(Locale.ENGLISH); + this.method = method; } @Override
spring-web/src/test/java/org/springframework/web/filter/HiddenHttpMethodFilterTests.java+23 −16 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,45 +31,52 @@ import static org.junit.Assert.*; /** + * Tests for {@link HiddenHttpMethodFilter}. + * * @author Arjen Poutsma + * @author Brian Clozel */ public class HiddenHttpMethodFilterTests { private final HiddenHttpMethodFilter filter = new HiddenHttpMethodFilter(); @Test public void filterWithParameter() throws IOException, ServletException { - MockHttpServletRequest request = new MockHttpServletRequest("POST", "/hotels"); - request.addParameter("_method", "delete"); - MockHttpServletResponse response = new MockHttpServletResponse(); - - FilterChain filterChain = new FilterChain() { + filterWithParameterForMethod("delete", "DELETE"); + filterWithParameterForMethod("put", "PUT"); + filterWithParameterForMethod("patch", "PATCH"); + } - @Override - public void doFilter(ServletRequest filterRequest, - ServletResponse filterResponse) throws IOException, ServletException { - assertEquals("Invalid method", "DELETE", - ((HttpServletRequest) filterRequest).getMethod()); - } - }; - filter.doFilter(request, response, filterChain); + @Test + public void filterWithParameterDisallowedMethods() throws IOException, ServletException { + filterWithParameterForMethod("trace", "POST"); + filterWithParameterForMethod("head", "POST"); + filterWithParameterForMethod("options", "POST"); } @Test public void filterWithNoParameter() throws IOException, ServletException { + filterWithParameterForMethod(null, "POST"); + } + + private void filterWithParameterForMethod(String methodParam, String expectedMethod) + throws IOException, ServletException { MockHttpServletRequest request = new MockHttpServletRequest("POST", "/hotels"); + if(methodParam != null) { + request.addParameter("_method", methodParam); + } MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = new FilterChain() { @Override public void doFilter(ServletRequest filterRequest, ServletResponse filterResponse) throws IOException, ServletException { - assertEquals("Invalid method", "POST", + assertEquals("Invalid method", expectedMethod, ((HttpServletRequest) filterRequest).getMethod()); } }; - filter.doFilter(request, response, filterChain); + this.filter.doFilter(request, response, filterChain); } } \ No newline at end of file
323ccf99e575Restrict HTTP methods on Servlet HiddenHttpMethodFilter
2 files changed · +38 −19
spring-web/src/main/java/org/springframework/web/filter/HiddenHttpMethodFilter.java+15 −3 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,13 +17,17 @@ package org.springframework.web.filter; import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; +import org.springframework.http.HttpMethod; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import org.springframework.web.util.WebUtils; @@ -35,6 +39,7 @@ * is to use a normal POST with an additional hidden form field ({@code _method}) * to pass the "real" HTTP method along. This filter reads that parameter and changes * the {@link HttpServletRequestWrapper#getMethod()} return value accordingly. + * Only {@code "PUT"}, {@code "DELETE"} and {@code "PATCH"} HTTP methods are allowed. * * <p>The name of the request parameter defaults to {@code _method}, but can be * adapted via the {@link #setMethodParam(String) methodParam} property. @@ -50,6 +55,10 @@ */ public class HiddenHttpMethodFilter extends OncePerRequestFilter { + private static final List<String> ALLOWED_METHODS = + Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT.name(), + HttpMethod.DELETE.name(), HttpMethod.PATCH.name())); + /** Default method parameter: {@code _method} */ public static final String DEFAULT_METHOD_PARAM = "_method"; @@ -74,7 +83,10 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse if ("POST".equals(request.getMethod()) && request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) == null) { String paramValue = request.getParameter(this.methodParam); if (StringUtils.hasLength(paramValue)) { - requestToUse = new HttpMethodRequestWrapper(request, paramValue); + String method = paramValue.toUpperCase(Locale.ENGLISH); + if (ALLOWED_METHODS.contains(method)) { + requestToUse = new HttpMethodRequestWrapper(request, method); + } } } @@ -92,7 +104,7 @@ private static class HttpMethodRequestWrapper extends HttpServletRequestWrapper public HttpMethodRequestWrapper(HttpServletRequest request, String method) { super(request); - this.method = method.toUpperCase(Locale.ENGLISH); + this.method = method; } @Override
spring-web/src/test/java/org/springframework/web/filter/HiddenHttpMethodFilterTests.java+23 −16 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,45 +31,52 @@ import static org.junit.Assert.*; /** + * Tests for {@link HiddenHttpMethodFilter}. + * * @author Arjen Poutsma + * @author Brian Clozel */ public class HiddenHttpMethodFilterTests { private final HiddenHttpMethodFilter filter = new HiddenHttpMethodFilter(); @Test public void filterWithParameter() throws IOException, ServletException { - MockHttpServletRequest request = new MockHttpServletRequest("POST", "/hotels"); - request.addParameter("_method", "delete"); - MockHttpServletResponse response = new MockHttpServletResponse(); - - FilterChain filterChain = new FilterChain() { + filterWithParameterForMethod("delete", "DELETE"); + filterWithParameterForMethod("put", "PUT"); + filterWithParameterForMethod("patch", "PATCH"); + } - @Override - public void doFilter(ServletRequest filterRequest, - ServletResponse filterResponse) throws IOException, ServletException { - assertEquals("Invalid method", "DELETE", - ((HttpServletRequest) filterRequest).getMethod()); - } - }; - filter.doFilter(request, response, filterChain); + @Test + public void filterWithParameterDisallowedMethods() throws IOException, ServletException { + filterWithParameterForMethod("trace", "POST"); + filterWithParameterForMethod("head", "POST"); + filterWithParameterForMethod("options", "POST"); } @Test public void filterWithNoParameter() throws IOException, ServletException { + filterWithParameterForMethod(null, "POST"); + } + + private void filterWithParameterForMethod(String methodParam, String expectedMethod) + throws IOException, ServletException { MockHttpServletRequest request = new MockHttpServletRequest("POST", "/hotels"); + if(methodParam != null) { + request.addParameter("_method", methodParam); + } MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = new FilterChain() { @Override public void doFilter(ServletRequest filterRequest, ServletResponse filterResponse) throws IOException, ServletException { - assertEquals("Invalid method", "POST", + assertEquals("Invalid method", expectedMethod, ((HttpServletRequest) filterRequest).getMethod()); } }; - filter.doFilter(request, response, filterChain); + this.filter.doFilter(request, response, filterChain); } } \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- github.com/advisories/GHSA-9gcm-f4x3-8jpwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11039ghsaADVISORY
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlghsax_refsource_CONFIRMWEB
- www.securityfocus.com/bid/107984ghsavdb-entryx_refsource_BIDWEB
- github.com/spring-projects/spring-framework/commit/323ccf99e575343f63d56e229c25c35c170b7ec1ghsaWEB
- github.com/spring-projects/spring-framework/commit/a5cd01a4c857aaaba7ccc51545fc73dd25b5cba5ghsaWEB
- github.com/spring-projects/spring-framework/commit/dac97f1b7dac3e70ff603fb6fc9f205b95dd6b01ghsaWEB
- github.com/spring-projects/spring-framework/commit/f2694a8ed93f1f63f87ce45d0bb638478b426acdghsaWEB
- github.com/spring-projects/spring-framework/commit/f64fa3dea10af125d612d3a997aece93d21bc875ghsaWEB
- github.com/spring-projects/spring-framework/issues/21376ghsaWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlghsamailing-listx_refsource_MLISTWEB
- pivotal.io/security/cve-2018-11039ghsax_refsource_CONFIRMWEB
- spring.io/security/cve-2018-11039ghsaWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.