CVE-2018-1273
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
11/04/2018
Last modified:
14/03/2025
Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:* | 1.12.10 (including) | |
| cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:* | 1.13.0 (including) | 1.13.10 (including) |
| cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.0.5 (including) |
| cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:* | 2.5.10 (including) | |
| cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2.6.10 (including) |
| cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.5 (including) |
| cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:* | 1.0.1 (including) | 2.5.0 (including) |
| cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:ignite:1.0.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
- https://pivotal.io/security/cve-2018-1273
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
- https://pivotal.io/security/cve-2018-1273
- https://www.oracle.com/security-alerts/cpujul2022.html