9.8

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMwareSpring Boot Version < 1.5.9
VMwareSpring Boot Version2.0.0 Updatemilestone1
VMwareSpring Boot Version2.0.0 Updatemilestone2
VMwareSpring Boot Version2.0.0 Updatemilestone3
VMwareSpring Boot Version2.0.0 Updatemilestone4
VMwareSpring Boot Version2.0.0 Updatemilestone5
Pivotal SoftwareSpring Data Rest Version < 2.6.9
Pivotal SoftwareSpring Data Rest Version3.0.0 Updatem1
Pivotal SoftwareSpring Data Rest Version3.0.0 Updatem2
Pivotal SoftwareSpring Data Rest Version3.0.0 Updatem3
Pivotal SoftwareSpring Data Rest Version3.0.0 Updatem4
Pivotal SoftwareSpring Data Rest Version3.0.0 Updaterc1
Pivotal SoftwareSpring Data Rest Version3.0.0 Updaterc2
Pivotal SoftwareSpring Data Rest Version3.0.0 Updaterc3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 93.73% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.securityfocus.com/bid/100948
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/44289/
Third Party Advisory
VDB Entry