{"id":"CVE-2018-1258","details":"Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.","aliases":["GHSA-cxrj-66c5-9fmh"],"modified":"2026-04-10T04:04:57.267087Z","published":"2018-05-11T20:29:00.260Z","references":[{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041888"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041896"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/104222"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2018-1258"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20181018-0002/"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"type":"FIX","url":"https://access.redhat.com/errata/RHSA-2019:2413"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libfuse/libfuse","events":[{"introduced":"0"},{"last_affected":"d2ed5539fc406008816e9c65b44e2f1d0554ffbe"},{"introduced":"0"},{"last_affected":"cfdca8c6a0f901f409d0a66dd158bd6c8b470bb6"},{"introduced":"0"},{"last_affected":"1186ccaa8d5f0fb3fed384781ec9e89dd8060202"},{"introduced":"0"},{"last_affected":"1186ccaa8d5f0fb3fed384781ec9e89dd8060202"},{"introduced":"0"},{"last_affected":"1ac9ca5636f3309b86eab007dfe863d14f52e329"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.1.0"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"3.0"},{"introduced":"0"},{"last_affected":"3.0"},{"introduced":"0"},{"last_affected":"2.9.5"}]}},{"type":"GIT","repo":"https://github.com/spring-projects/spring-framework","events":[{"introduced":"0"},{"fixed":"3767abea3a9ec4b76257c1f98d65bd9da57afd28"},{"introduced":"0"},{"last_affected":"299f8b15ad1f74ca769b396d915e8369623279f2"},{"introduced":"0"},{"last_affected":"22a14c02c2fad2f7338bb66a759f325f17089612"},{"introduced":"0"},{"last_affected":"201b2d752efc4c79b0d52d90e95dac1093520d5f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.0.0.1"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.2.0"},{"introduced":"0"},{"last_affected":"4.2.1"}]}}],"versions":["before_interruptible","debian_version_0_95-1","debian_version_1_0-1","fuse-3.0.0","fuse-3.0.0pre0","fuse-3.0.0rc1","fuse-3.0.0rc2","fuse-3.0.0rc3","fuse-3.0.1","fuse-3.0.2","fuse-3.1.0","fuse-3.1.1","fuse-3.2.0","fuse_0_9","fuse_0_95","fuse_1_1","fuse_1_1_pre2","fuse_1_9","fuse_2_2","fuse_2_2_pre1","fuse_2_2_pre4","fuse_2_2_pre5","fuse_2_2_pre6","fuse_2_3_0","fuse_2_3_pre1","fuse_2_3_pre2","fuse_2_3_pre3","fuse_2_3_pre4","fuse_2_3_pre5","fuse_2_3_pre6","fuse_2_3_pre7","fuse_2_3_rc1","fuse_2_4_0","fuse_2_4_0_pre2","fuse_2_4_0_rc1","fuse_2_4_1","fuse_2_5_0","fuse_2_5_0_pre1","fuse_2_5_0_pre2","fuse_2_6_0","fuse_2_6_0_pre1","fuse_2_6_0_pre2","fuse_2_6_0_pre3","fuse_2_6_0_rc1","fuse_2_6_0_rc2","fuse_2_6_0_rc3","fuse_2_6_1","fuse_2_7_0","fuse_2_7_0_rc1","fuse_2_7_1","fuse_2_7_2","fuse_2_7_2_before_indent","fuse_2_8_0","fuse_2_8_0_pre2","fuse_2_8_1","fuse_2_8_2","fuse_2_8_3","fuse_2_8_4","fuse_2_8_start","fuse_2_9_0","fuse_2_9_1","fuse_2_9_2","fuse_2_9_3","fuse_2_9_4","fuse_2_9_5","fuse_2_9_start","fuse_3_0_start","start","v3.2.0.M1","v3.2.0.M2","v3.2.0.RC1","v3.2.0.RC2-A","v3.2.0.RELEASE","v4.0.0.M1","v4.0.0.M2","v4.0.0.M3","v4.0.0.RC1","v4.0.0.RC2","v4.0.0.RELEASE","v4.2.0.RELEASE","v4.2.1.RELEASE"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.5.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"13.1.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.0"}]},{"events":[{"introduced":"0"},{"fixed":"8.3"}]},{"events":[{"introduced":"7.3.2"},{"last_affected":"7.3.6"}]},{"events":[{"introduced":"0"},{"fixed":"10.2.1"}]},{"events":[{"introduced":"0"},{"fixed":"6.1.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.3.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.2.8191"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.3.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.3.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3"}]},{"events":[{"introduced":"7.3"}]},{"events":[{"introduced":"9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1258.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}