Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
References
Link | Resource |
---|---|
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E | Mailing List Third Party Advisory |
https://pivotal.io/security/cve-2018-1273 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: dell
Published: 2018-04-10T00:00:00
Updated: 2022-07-22T17:58:04
Reserved: 2017-12-06T00:00:00
Link: CVE-2018-1273
JSON object: View
NVD Information
Status : Modified
Published: 2018-04-11T13:29:00.290
Modified: 2022-07-25T18:15:14.677
Link: CVE-2018-1273
JSON object: View
Redhat Information
No data.