← Back to CVEs
CVE-2018-1273
CRITICALCISA KEV9.8
Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published4/11/2018
Last Modified10/28/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorVMware Tanzu
ProductSpring Data Commons
Vulnerability NameVMware Tanzu Spring Data Commons Property Binder Vulnerability
KEV Date Added2022-03-25
Remediation Due Date2022-04-15
Ransomware UseKnown
Affected Products
apache:igniteoracle:financial_services_crime_and_compliance_management_studiopivotal_software:spring_data_commonspivotal_software:spring_data_rest
Weaknesses (CWE)
CWE-94
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(security_alert@emc.com)
https://pivotal.io/security/cve-2018-1273(security_alert@emc.com)
https://www.oracle.com/security-alerts/cpujul2022.html(security_alert@emc.com)
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2018-1273(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.