CVE: 2018-11039 found in Spring Web - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Web
Description	Spring Web
Language	JAVA
Vulnerability	Cross-Site Tracing (XST)
Vulnerability description	spring-web is vulnerable to cross-site tracing (XST) attacks. The vulnerability exists as HiddenHttpMethodFilter allows web applications to change existing HTTP request method to any HTTP method, causing applications with existing cross-site scripting (XSS) vulnerability to be vulnerable to XST.
CVE	2018-11039
CVSS score	4.3
Vulnerability present in version/s	4.3.0.RELEASE-4.3.17.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	4.3.18.RELEASE
Library latest version	6.0.2
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1104?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/6806
• Patch: https://github.com/spring-projects/spring-framework/commit/323ccf99e575343f63d56e229c25c35c170b7ec1

[github-actions[bot]]

Veracode issue link to PR: https://github.com/5l1D3R/Github-actions/pull/2