CVE-2018-11040 @ Maven-org.springframework:spring-web-3.2.4.RELEASE

[cxronen]

Vulnerable Package issue exists @ Maven-org.springframework:spring-web-3.2.4.RELEASE in branch master

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Namespace: cxronen
Repository: BookStore_VSCode
Repository Url: https://github.com/cxronen/BookStore_VSCode
CxAST-Project: cxronen/BookStore_VSCode
CxAST platform scan: 8da575ca-6c79-4d57-ae63-b0e053c9ba06
Branch: master
Application: BookStore_VSCode
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
CWE: CWE-254

---

Additional Info
Attack vector: NETWORK
Attack complexity: HIGH
Confidentiality impact: HIGH
Availability impact: NONE
Remediation Upgrade Recommendation: 5.3.7

---

References
Commit
Advisory
Issue