CVE-2018-1272
Description
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework multipart request pollution (CVE-2018-1272) allows an attacker to inject extra multipart content, potentially leading to privilege escalation.
Vulnerability
Spring Framework versions 5.0 prior to 5.0.5 and 4.3 prior to 4.3.15 (and older unsupported versions) provide client-side support for multipart requests [1]. When a Spring MVC or Spring WebFlux server application (server A) receives input from a remote client and then uses that input to make a multipart request to another server (server B), an attacker can insert an extra multipart part in the request from server A, causing server B to use the wrong value for an expected part [1].
Exploitation
An attacker must be able to send crafted input to server A, which server A then uses to form a multipart request to server B [1]. No authentication on the victim server is necessary if the application uses user-controlled input in constructing the multipart request. The attack can be performed remotely over the network without any special privileges or user interaction [1].
Impact
Successful exploitation can lead to privilege escalation [1]. For example, if a multipart part content represents a username or user roles, the attacker could cause server B to use an attacker-controlled value, thereby gaining elevated privileges on server B [1]. This is a high-severity issue (CVSS 8.8) as per Red Hat [3].
Mitigation
Upgrade to Spring Framework 5.0.5 or 4.3.15, released in April 2018 [4]. Red Hat has provided updates for its affected products: Fuse 7.1 (RHSA-2018:2669) [2] and OpenShift Application Runtimes (RHSA-2018:1320) [3]. There is no listed workaround for unpatched versions; upgrade is the recommended action.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | < 4.3.15 | 4.3.15 |
org.springframework:spring-coreMaven | >= 5.0.0, < 5.0.5 | 5.0.5 |
Affected products
2- Spring by Pivotal/Spring Frameworkv5Range: Versions prior to 5.0.5 and 4.3.15
Patches
4e02ff3a0da50MimeTypeUtils uses SecureRandom
1 file changed · +3 −2
spring-core/src/main/java/org/springframework/util/MimeTypeUtils.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.nio.charset.Charset; import java.nio.charset.UnsupportedCharsetException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -46,7 +47,7 @@ public abstract class MimeTypeUtils { 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'}; - private static final Random RND = new Random(); + private static final Random RND = new SecureRandom(); private static Charset US_ASCII = Charset.forName("US-ASCII");
e02ff3a0da50MimeTypeUtils uses SecureRandom
1 file changed · +3 −2
spring-core/src/main/java/org/springframework/util/MimeTypeUtils.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.nio.charset.Charset; import java.nio.charset.UnsupportedCharsetException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -46,7 +47,7 @@ public abstract class MimeTypeUtils { 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'}; - private static final Random RND = new Random(); + private static final Random RND = new SecureRandom(); private static Charset US_ASCII = Charset.forName("US-ASCII");
ab2410c754b6MimeTypeUtils uses SecureRandom
1 file changed · +2 −1
spring-core/src/main/java/org/springframework/util/MimeTypeUtils.java+2 −1 modified@@ -18,6 +18,7 @@ import java.nio.charset.StandardCharsets; import java.nio.charset.UnsupportedCharsetException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -45,7 +46,7 @@ public abstract class MimeTypeUtils { 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'}; - private static final Random RND = new Random(); + private static final Random RND = new SecureRandom(); /** * Comparator used by {@link #sortBySpecificity(List)}.
ab2410c754b6MimeTypeUtils uses SecureRandom
1 file changed · +2 −1
spring-core/src/main/java/org/springframework/util/MimeTypeUtils.java+2 −1 modified@@ -18,6 +18,7 @@ import java.nio.charset.StandardCharsets; import java.nio.charset.UnsupportedCharsetException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -45,7 +46,7 @@ public abstract class MimeTypeUtils { 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'}; - private static final Random RND = new Random(); + private static final Random RND = new SecureRandom(); /** * Comparator used by {@link #sortBySpecificity(List)}.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- access.redhat.com/errata/RHSA-2018:1320ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2669ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-4487-x383-qpphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1272ghsaADVISORY
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlghsax_refsource_CONFIRMWEB
- www.securityfocus.com/bid/103697ghsavdb-entryx_refsource_BIDWEB
- github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39ghsaWEB
- github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767ghsaWEB
- pivotal.io/security/cve-2018-1272ghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.