7.5

CVE-2018-1259

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
BroadcomSpring Data Commons Version >= 1.13 <= 1.13.11
BroadcomSpring Data Commons Version >= 2.0 <= 2.0.6
Pivotal SoftwareSpring Data Rest Version >= 3.0 <= 3.0.6
VMwareSpring Data Rest Version > 2.6 <= 2.6.11
XmlbeamXmlbeam Version <= 1.4.14
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.97% 0.911
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://www.oracle.com/security-alerts/cpujul2022.html
https://access.redhat.com/errata/RHSA-2018:3768
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1809
Third Party Advisory
https://pivotal.io/security/cve-2018-1259
Vendor Advisory