CVE-2018-1273
CRITICAL9.8⚠ KEVEPSS 94.3%Spring Data Commons remote code injection vulnerability
發布日:2018/10/17修改日:2024/3/20加入 CISA KEV 日:2022/3/25
描述
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding that can lead to a remote code execution attack.
受影響套件(1)
- Maven/org.springframework.data:spring-data-commons>= 1.13.0, < 1.13.11
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://github.com/advisories/GHSA-4fq3-mr56-cg6r
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1273
- PATCHhttps://github.com/spring-projects/spring-data-commons
- WEBhttp://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
- WEBhttps://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
- WEBhttps://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
- WEBhttps://github.com/spring-projects/spring-data-commons/issues/1721
- WEBhttps://pivotal.io/security/cve-2018-1273
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html