{"id":"CVE-2018-11040","details":"Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the \"jsonp\" and \"callback\" JSONP parameters, enabling cross-domain requests.","aliases":["GHSA-f26x-pr96-vw86"],"modified":"2026-04-10T04:04:16.076397Z","published":"2018-06-25T15:29:00.363Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2018-11040"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-framework","events":[{"introduced":"0"},{"fixed":"8dab9416c7381a477c5b5f94da421da9eb976735"},{"introduced":"f4f990b2c900a9b325fd0770d9064a188d073253"},{"fixed":"8bfd47a8d4fb3287e4e68a74d3b3711f2c404bff"},{"introduced":"0"},{"last_affected":"e6585e0250519ec6ef85f0ca2f8d9b6151f94397"},{"introduced":"0"},{"last_affected":"ac107d0c2ae939c669ba086c2874d02790519b06"},{"introduced":"0"},{"last_affected":"abdcefb460fcbc1348ef04505a78381a2c69a643"},{"introduced":"0"},{"last_affected":"30604ae861d378669a9719918f3068dadcc5aed5"},{"introduced":"0"},{"last_affected":"299f8b15ad1f74ca769b396d915e8369623279f2"},{"introduced":"0"},{"last_affected":"22a14c02c2fad2f7338bb66a759f325f17089612"},{"introduced":"0"},{"last_affected":"201b2d752efc4c79b0d52d90e95dac1093520d5f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.3.18"},{"introduced":"5.0.0"},{"fixed":"5.0.7"},{"introduced":"0"},{"last_affected":"6.1"},{"introduced":"0"},{"last_affected":"3.1.0"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"3.0"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.2.0"},{"introduced":"0"},{"last_affected":"4.2.1"}]}}],"versions":["v3.0.0.RELEASE","v3.1.0.RELEASE","v3.2.0.M1","v3.2.0.M2","v3.2.0.RC1","v3.2.0.RC2-A","v3.2.0.RELEASE","v4.0.0.M1","v4.0.0.M2","v4.0.0.M3","v4.0.0.RC1","v4.0.0.RC2","v4.0.0.RELEASE","v4.2.0.RELEASE","v4.2.1.RELEASE","v5.0.5.RELEASE","v6.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11040.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"12.5.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"13.1.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3.0.1"}]},{"events":[{"introduced":"7.3.2"},{"last_affected":"7.3.6"}]},{"events":[{"introduced":"0"},{"fixed":"6.1.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0.0"}]},{"events":[{"introduced":"11.0.0"},{"last_affected":"11.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.9.5"}]},{"events":[{"introduced":"0"},{"last_affected":"3.4.9.4237"}]},{"events":[{"introduced":"3.4.10"},{"last_affected":"4.0.6.5281"}]},{"events":[{"introduced":"4.0.7"},{"last_affected":"8.0.2.8191"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.4"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.3.26"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.37"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.100"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.12.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}