9.8
CVE-2018-1273
- EPSS 95.65%
- Veröffentlicht 11.04.2018 13:29:00
- Zuletzt bearbeitet 26.06.2026 18:44:14
- Quelle security_alert@emc.com
- CVE-Watchlists
- Unerledigt
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Broadcom ≫ Spring Data Commons Version <= 1.12.10
Broadcom ≫ Spring Data Commons Version >= 1.13.0 <= 1.13.10
Broadcom ≫ Spring Data Commons Version >= 2.0.0 <= 2.0.5
Pivotal Software ≫ Spring Data Rest Version >= 3.0.0 <= 3.0.5
VMware ≫ Spring Data Rest Version <= 2.5.10
VMware ≫ Spring Data Rest Version >= 2.6.0 <= 2.6.10
Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.2.0
Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.3.0
25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
VMware Tanzu Spring Data Commons Property Binder Vulnerability
SchwachstelleSpring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 95.65% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
https://www.oracle.com/security-alerts/cpujul2022.html
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://pivotal.io/security/cve-2018-1273
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273