Overview
The CVE-2018-11040 exposure describes a JSONP-related vulnerability in Spring Framework where, if an application configures a MappingJackson2JsonView (and related JSON view tooling), the framework may automatically support JSONP via the jsonp and callback parameters. This enables cross-origin requests to endpoints that return JSON data, effectively bypassing same-origin restrictions for those endpoints. The issue is categorized under CWE-829 in the CVE record, reflecting improper handling of cross-origin inputs that can lead to data leakage when misconfigured views are present in the app. While JSONP is not enabled by default in Spring Framework or Spring Boot, the vulnerability arises specifically when a developer explicitly configures a JSON view that supports JSONP for REST responses. Upstream patches exist to disable this exposure in the affected versions.
Affected Versions
Spring Framework 5.0.x prior to 5.0.7; Spring Framework 4.3.x prior to 4.3.18; older unsupported versions.
Code Fix Example
Spring Boot API Security Remediation
// VULNERABLE CODE (JSONP may be enabled via MappingJackson2JsonView when configured)
// This configuration enables a JSONP-capable view for REST responses
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.json.MappingJackson2JsonView;
import java.util.Map;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
@Configuration
@EnableWebMvc
class WebConfig {
// Vulnerable: configuring a JSON view that can auto-support JSONP via ?jsonp or ?callback
@Bean
public MappingJackson2JsonView jsonpView() {
MappingJackson2JsonView view = new MappingJackson2JsonView();
// No explicit disable; this enables JSONP when the request includes jsonp/callback params
return view;
}
}
@RestController
@RequestMapping("/api")
class DataController {
@GetMapping("/data")
public Map<String, String> data() {
return Map.of("secret", "topsecret");
}
}
// FIXED CODE
// Remove the JSONP-enabled view configuration and rely on standard JSON responses
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.Map;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
@RestController
@RequestMapping("/api")
class DataControllerFixed {
@GetMapping("/data")
public Map<String, String> data() {
return Map.of("secret", "topsecret");
}
}