CVE-2018-1273

Warning

EPSS 94.19%
Published 11.04.2018 13:29:00
Last modified 30.07.2025 19:04:54
Source security_alert@emc.com
Teams watchlist Login
Open Login

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Affected products Warnungen 1 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Pivotal Software ≫ Spring Data Commons Version <= 1.12.10

Pivotal Software ≫ Spring Data Commons Version >= 1.13.0 <= 1.13.10

Pivotal Software ≫ Spring Data Commons Version >= 2.0.0 <= 2.0.5

Pivotal Software ≫ Spring Data Rest Version <= 2.5.10

Pivotal Software ≫ Spring Data Rest Version >= 2.6.0 <= 2.6.10

Pivotal Software ≫ Spring Data Rest Version >= 3.0.0 <= 3.0.5

Apache ≫ Ignite Version >= 1.0.1 <= 2.5.0

Apache ≫ Ignite Version1.0.0 Update-

Apache ≫ Ignite Version1.0.0 Updaterc3

Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.2.0

Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.3.0

25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware Tanzu Spring Data Commons Property Binder Vulnerability

Vulnerability

Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.19%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E

Third Party Advisory

Mailing List

https://pivotal.io/security/cve-2018-1273

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-1273

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-1273

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-1273

EUVD