On Sat, Apr 07, 2018 at 09:46:13AM +0200, Salvatore Bonaccorso wrote: > Source: libspring-java > Version: 4.3.5-1 > Severity: grave > Tags: security upstream fixed-upstream > > Hi, > > The following vulnerabilities were published for libspring-java, > filling only one bug this time since the common set of affected > versions for the two is all 4.3 versions and older unsupported > versions. > > CVE-2018-1270: > | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior > | to 4.3.15 and older unsupported versions, allow applications to expose > | STOMP over WebSocket endpoints with a simple, in-memory STOMP broker > | through the spring-messaging module. A malicious user (or attacker) > | can craft a message to the broker that can lead to a remote code > | execution attack.
For this one: https://bugzilla.redhat.com/show_bug.cgi?id=1565307 So when trying to address CVE-2018-1270 one needs to make sure it's not only partially fixed to not open the CVE-2018-1275 CVE. Regards, Salvatore