9.8
CVE-2018-1273
- EPSS 94.19%
- Veröffentlicht 11.04.2018 13:29:00
- Zuletzt bearbeitet 30.07.2025 19:04:54
- Quelle security_alert@emc.com
- Teams Watchlist Login
- Unerledigt Login
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pivotal Software ≫ Spring Data Commons Version <= 1.12.10
Pivotal Software ≫ Spring Data Commons Version >= 1.13.0 <= 1.13.10
Pivotal Software ≫ Spring Data Commons Version >= 2.0.0 <= 2.0.5
Pivotal Software ≫ Spring Data Rest Version <= 2.5.10
Pivotal Software ≫ Spring Data Rest Version >= 2.6.0 <= 2.6.10
Pivotal Software ≫ Spring Data Rest Version >= 3.0.0 <= 3.0.5
Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.2.0
Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.3.0
25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
VMware Tanzu Spring Data Commons Property Binder Vulnerability
SchwachstelleSpring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.19% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.