CVE: 2018-11040 found in Spring Web MVC - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Web MVC
Description	Spring Web MVC
Language	JAVA
Vulnerability	Cross-Domain Request Through Insecure JSONP Defaults
Vulnerability description	spring-webmvc is vulnerable to cross-domain requests. The vulnerability exists as JSONP is enabled through the jsonp and callback JSONP parameters in MappingJackson2JsonView by default.
CVE	2018-11040
CVSS score	4.3
Vulnerability present in version/s	4.3.0.RC1-4.3.17.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	4.3.18.RELEASE
Library latest version	6.1.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/949?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/6807
• Patch: https://github.com/spring-projects/spring-framework/commit/874859493bbda59739c38c7e52eb3625f247b93a

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54