← Zuruck zu CVEs
CVE-2018-1273
CRITICALCISA KEV9.8
Beschreibung
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht4/11/2018
Zuletzt geandert10/28/2025
Quellekev
Honeypot-Sichtungen0
CISA KEV
HerstellerVMware Tanzu
ProduktSpring Data Commons
SchwachstellennameVMware Tanzu Spring Data Commons Property Binder Vulnerability
KEV Aufnahmedatum2022-03-25
Behebungsfrist2022-04-15
Ransomware-NutzungKnown
Betroffene Produkte
apache:igniteoracle:financial_services_crime_and_compliance_management_studiopivotal_software:spring_data_commonspivotal_software:spring_data_rest
Schwachen (CWE)
CWE-94
Referenzen
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(security_alert@emc.com)
https://pivotal.io/security/cve-2018-1273(security_alert@emc.com)
https://www.oracle.com/security-alerts/cpujul2022.html(security_alert@emc.com)
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2018-1273(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.