CVE-2018-15756 [High] | Denial of Service in Spring Framework

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	20.13%	9.51%	-10.61%
2	2026-04-27	18.10%	20.13%	+2.02%
3	2026-03-13	—	18.10%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

20.13%

9.51%

-10.61%

2026-04-27

18.10%

20.13%

+2.02%

2026-03-13

—

18.10%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]
7.5	3.0	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

7.5

3.0

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2018-15756

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2018-15756 not yet assigned priority: Debian including 1 source packages (libspring-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2018-15756
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2018-15756
`ubuntu`	medium	CVE-2018-15756 medium priority: Ubuntu including 1 source packages (libspring-java), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 13, needed 2, released 1.	https://ubuntu.com/security/CVE-2018-15756

Affected software / configurations for CVE-2018-15756

Vendor	Product	Version	Raw CPE
vmware	spring_framework	>= 4.2.0, < 4.3.20	cpe:2.3:a:vmware:spring_framework::::::::
vmware	spring_framework	>= 5.0.0, < 5.0.10	cpe:2.3:a:vmware:spring_framework::::::::
vmware	spring_framework	5.1.0	cpe:2.3:a:vmware:spring_framework:5.1.0:::::::*
oracle	agile_plm	9.3.3	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
oracle	agile_plm	9.3.4	cpe:2.3:a:oracle:agile_plm:9.3.4:::::::*
oracle	agile_plm	9.3.5	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
oracle	agile_plm	9.3.6	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
oracle	communications_brm_-_elastic_charging_engine	11.3	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3:::::::*
oracle	communications_brm_-_elastic_charging_engine	12.0	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0:::::::*
oracle	communications_converged_application_server_-_service_controller	6.0	cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.0:::::::*
oracle	communications_converged_application_server_-_service_controller	6.1	cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.1:::::::*
oracle	communications_diameter_signaling_router	8.0.0	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:::::::*
oracle	communications_diameter_signaling_router	8.1	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:::::::*
oracle	communications_diameter_signaling_router	8.2	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:::::::*
oracle	communications_diameter_signaling_router	8.2.1	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:::::::*
oracle	communications_element_manager	8.1.1	cpe:2.3:a:oracle:communications_element_manager:8.1.1:::::::*
oracle	communications_element_manager	8.2.0	cpe:2.3:a:oracle:communications_element_manager:8.2.0:::::::*
oracle	communications_element_manager	8.2.1	cpe:2.3:a:oracle:communications_element_manager:8.2.1:::::::*
oracle	communications_online_mediation_controller	6.1	cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:::::::*
oracle	communications_session_report_manager	8.0.0	cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:::::::*
oracle	communications_session_report_manager	8.1.0	cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:::::::*
oracle	communications_session_report_manager	8.1.1	cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:::::::*
oracle	communications_session_report_manager	8.2.0	cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:::::::*
oracle	communications_session_report_manager	8.2.1	cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:::::::*
oracle	communications_session_route_manager	8.0.0	cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:::::::*
oracle	communications_session_route_manager	8.1.0	cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:::::::*
oracle	communications_session_route_manager	8.1.1	cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:::::::*
oracle	communications_session_route_manager	8.2.0	cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:::::::*
oracle	communications_session_route_manager	8.2.1	cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:::::::*
oracle	communications_unified_inventory_management	7.3	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:::::::*
oracle	communications_unified_inventory_management	7.4.0	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
oracle	endeca_information_discovery_integrator	3.2.0	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
oracle	enterprise_manager_for_fusion_applications	13.3.0.0	cpe:2.3:a:oracle:enterprise_manager_for_fusion_applications:13.3.0.0:::::::*
oracle	enterprise_manager_ops_center	12.3.3	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
oracle	financial_services_analytical_applications_infrastructure	>= 8.0.2, <= 8.0.8	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
oracle	flexcube_private_banking	12.0.1	cpe:2.3:a:oracle:flexcube_private_banking:12.0.1:::::::*
oracle	flexcube_private_banking	12.0.3	cpe:2.3:a:oracle:flexcube_private_banking:12.0.3:::::::*
oracle	flexcube_private_banking	12.1.0	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
oracle	goldengate_application_adapters	12.3.2.1.0	cpe:2.3:a:oracle:goldengate_application_adapters:12.3.2.1.0:::::::*
oracle	healthcare_master_person_index	3.0	cpe:2.3:a:oracle:healthcare_master_person_index:3.0:::::::*
oracle	healthcare_master_person_index	4.0.2	cpe:2.3:a:oracle:healthcare_master_person_index:4.0.2:::::::*
oracle	identity_manager_connector	9.0	cpe:2.3:a:oracle:identity_manager_connector:9.0:::::::*
oracle	insurance_calculation_engine	9.7	cpe:2.3:a:oracle:insurance_calculation_engine:9.7:::::::*
oracle	insurance_calculation_engine	10.0	cpe:2.3:a:oracle:insurance_calculation_engine:10.0:::::::*
oracle	insurance_calculation_engine	10.1	cpe:2.3:a:oracle:insurance_calculation_engine:10.1:::::::*
oracle	insurance_calculation_engine	10.2	cpe:2.3:a:oracle:insurance_calculation_engine:10.2:::::::*
oracle	insurance_policy_administration_j2ee	10.0	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.0:::::::*
oracle	insurance_policy_administration_j2ee	10.1	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.1:::::::*
oracle	insurance_policy_administration_j2ee	10.2	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2:::::::*
oracle	insurance_policy_administration_j2ee	10.2.0	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:::::::*
oracle	insurance_policy_administration_j2ee	10.2.4	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:::::::*
oracle	insurance_policy_administration_j2ee	11.0	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0:::::::*
oracle	insurance_policy_administration_j2ee	11.1.0	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0:::::::*
oracle	insurance_policy_administration_j2ee	11.2.0	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0:::::::*
oracle	insurance_rules_palette	10.0	cpe:2.3:a:oracle:insurance_rules_palette:10.0:::::::*
oracle	insurance_rules_palette	10.1	cpe:2.3:a:oracle:insurance_rules_palette:10.1:::::::*
oracle	insurance_rules_palette	10.2	cpe:2.3:a:oracle:insurance_rules_palette:10.2:::::::*
oracle	insurance_rules_palette	10.2.0	cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:::::::*
oracle	insurance_rules_palette	10.2.4	cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:::::::*
oracle	insurance_rules_palette	11.0	cpe:2.3:a:oracle:insurance_rules_palette:11.0:::::::*
oracle	insurance_rules_palette	11.0.2	cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
oracle	insurance_rules_palette	11.1.0	cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:::::::*
oracle	insurance_rules_palette	11.2.0	cpe:2.3:a:oracle:insurance_rules_palette:11.2.0:::::::*
oracle	mysql_enterprise_monitor	<= 4.0.12	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
oracle	mysql_enterprise_monitor	>= 8.0.0, <= 8.0.20	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
oracle	primavera_analytics	18.8	cpe:2.3:a:oracle:primavera_analytics:18.8:::::::*
oracle	primavera_gateway	15.2	cpe:2.3:a:oracle:primavera_gateway:15.2:::::::*
oracle	primavera_gateway	16.2	cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*
oracle	primavera_gateway	17.12	cpe:2.3:a:oracle:primavera_gateway:17.12:::::::*
oracle	primavera_gateway	18.8.0	cpe:2.3:a:oracle:primavera_gateway:18.8.0:::::::*
oracle	rapid_planning	12.1	cpe:2.3:a:oracle:rapid_planning:12.1:::::::*
oracle	rapid_planning	12.2	cpe:2.3:a:oracle:rapid_planning:12.2:::::::*
oracle	retail_advanced_inventory_planning	15.0	cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:::::::*
oracle	retail_assortment_planning	15.0	cpe:2.3:a:oracle:retail_assortment_planning:15.0:::::::*
oracle	retail_assortment_planning	16.0	cpe:2.3:a:oracle:retail_assortment_planning:16.0:::::::*
oracle	retail_clearance_optimization_engine	14.0.5	cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:::::::*
oracle	retail_financial_integration	14.0	cpe:2.3:a:oracle:retail_financial_integration:14.0:::::::*
oracle	retail_financial_integration	14.1	cpe:2.3:a:oracle:retail_financial_integration:14.1:::::::*
oracle	retail_financial_integration	15.0	cpe:2.3:a:oracle:retail_financial_integration:15.0:::::::*
oracle	retail_financial_integration	16.0	cpe:2.3:a:oracle:retail_financial_integration:16.0:::::::*

References for CVE-2018-15756

URL	Tags
http://www.securityfocus.com/bid/105703	Third Party Advisory VDB Entry URL Repurposed
https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html	Mailing List Third Party Advisory
https://pivotal.io/security/cve-2018-15756	Vendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Not Applicable Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory

URL

CVE-2018-15756 | DoS Attack via Range Requests

Exploit prediction scoring system (EPSS) score for CVE-2018-15756

Common vulnerability scoring system (CVSS) metrics for CVE-2018-15756

Weakness enumeration for CVE-2018-15756

GitHub Security Advisory for CVE-2018-15756

OS Trackers for CVE-2018-15756

Affected software / configurations for CVE-2018-15756

References for CVE-2018-15756