High severity7.5NVD Advisory· Published Jun 25, 2018· Updated Jun 17, 2026
CVE-2018-11040
CVE-2018-11040
Description
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 5.0.0.RELEASE, < 5.0.7.RELEASE | 5.0.7.RELEASE |
org.springframework:spring-coreMaven | >= 4.3.0.RELEASE, < 4.3.18.RELEASE | 4.3.18.RELEASE |
Affected products
2- Range: 5.0.x
Patches
Vulnerability mechanics
References
13- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2020.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2020.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-f26x-pr96-vw86ghsaADVISORY
- lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-11040ghsaADVISORY
- pivotal.io/security/cve-2018-11040nvdMitigationVendor AdvisoryWEB
- github.com/spring-projects/spring-framework/commit/874859493bbda59739c38c7e52eb3625f247b93aghsaWEB
- github.com/spring-projects/spring-framework/commit/b80c13b722bb207ddf43f53a007ee3ddc1dd2e26ghsaWEB
News mentions
0No linked articles in our index yet.