CVE-2018-1273
CVE-2018-1273
In short
Spring Data Commons allows attackers to execute arbitrary code on the server by sending specially crafted requests. An attacker can exploit a flaw in how the application processes user input to run malicious commands without needing to log in.
Technical detail
CWE-94 (improper neutralization of special elements) in Spring Data Commons property binder allows unauthenticated remote code execution via maliciously crafted request parameters targeting Spring Data REST endpoints or projection-based payload binding. Exploitation requires network access to affected HTTP resources; impact is complete system compromise through arbitrary code execution.
Summary generated and translated by AI from the official description.
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Spring by Pivotal · Spring Frameworkpublic PoCs found — 6
githubgithub.com/jas502n/cve-2018-1273★ 58githubgithub.com/wearearima/poc-cve-2018-1273★ 24githubgithub.com/knqyf263/CVE-2018-1273★ 10githubgithub.com/webr0ck/poc-cve-2018-1273★ 2githubgithub.com/cved-sources/cve-2018-1273★ 0githubgithub.com/hdgokani/CVE-2018-1273★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3Ehttps://pivotal.io/security/cve-2018-1273https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273https://www.oracle.com/security-alerts/cpujul2022.html