Overview
JSONP-based data exposure attacks occurred in Spring Framework with CVE-2018-11040. When a MappingJackson2JsonView bean was configured (and, in some configurations, AbstractJsonpResponseBodyAdvice could enable JSONP), responses could be wrapped in a JSONP callback even across origins. This effectively allowed cross-domain requests to retrieve potentially sensitive object data that should be protected by server-side authorization. While not a traditional Broken Object Level Authorization (BOLA) flaw by itself, the misconfiguration enabled cross-origin retrieval of data tied to specific objects, which undermines proper access control and can lead to unauthorized exposure of user or object data when endpoints return protected resources. The vulnerability was present in Spring Framework versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18, and has been patched in those lines of releases. References to CVE-2018-11040 are provided by NVD/GitHub for exact patch details. In real Spring Boot deployments, this vulnerability can manifest if an app uses Spring MVC views like MappingJackson2JsonView or otherwise enables JSONP support without restricting access to sensitive resources.
Affected Versions
Spring Framework: 5.0.x prior to 5.0.7; 4.3.x prior to 4.3.18; older unsupported versions
Code Fix Example
Spring Boot API Security Remediation
Vulnerable pattern and fix (Java):
// Vulnerable: JSONP support enabled via MappingJackson2JsonView, allowing cross-domain JSONP calls
@RestController
@RequestMapping("/api")
public class UserController {
@GetMapping("/users/{id}")
public User getUser(@PathVariable Long id, Principal principal) {
// Potential object-level authorization risk if access checks are missing
return userService.findForUser(id, principal);
}
}
@Configuration
public class WebConfig {
@Bean
public MappingJackson2JsonView jsonView() {
// Enabling JSONP when a callback parameter is present
return new MappingJackson2JsonView();
}
}
// Attack scenario: /api/users/123?callback=evil
// The response is wrapped in evil(...), which can be executed on attacker domain.
// Fixed: Remove JSONP support and rely on standard JSON responses with proper server-side authorization
@RestController
@RequestMapping("/api")
public class UserController {
@GetMapping("/users/{id}")
@PreAuthorize("@securityService.canAccessUser(principal, #id)")
public User getUser(@PathVariable Long id, Principal principal) {
// Enforce object-level authorization on the server-side
return userService.findForUser(id, principal);
}
}
@Configuration
public class WebConfig {
// Do not register MappingJackson2JsonView or any JSONP-supporting components
}