Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spring_framework | Vmware | * | 4.3.17 (excluding) |
| Spring_framework | Vmware | 5.0.0 (including) | 5.0.6 (excluding) |
| Libspring-java | Ubuntu | artful | * |
| Libspring-java | Ubuntu | esm-apps/xenial | * |
| Libspring-java | Ubuntu | esm-infra-legacy/trusty | * |
| Libspring-java | Ubuntu | trusty | * |
| Libspring-java | Ubuntu | trusty/esm | * |
| Libspring-java | Ubuntu | upstream | * |
| Libspring-java | Ubuntu | xenial | * |
| Red Hat Fuse 7.2 | RedHat | spring | * |
| Text-Only RHOAR | RedHat | * |