← Retour aux CVEs
CVE-2018-1273
CRITICALCISA KEV9.8
Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie4/11/2018
Derniere modification10/28/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurVMware Tanzu
ProduitSpring Data Commons
Nom vulnerabiliteVMware Tanzu Spring Data Commons Property Binder Vulnerability
Date ajout KEV2022-03-25
Date limite remediation2022-04-15
Utilise dans ransomwareKnown
Produits affectes
apache:igniteoracle:financial_services_crime_and_compliance_management_studiopivotal_software:spring_data_commonspivotal_software:spring_data_rest
Faiblesses (CWE)
CWE-94
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(security_alert@emc.com)
https://pivotal.io/security/cve-2018-1273(security_alert@emc.com)
https://www.oracle.com/security-alerts/cpujul2022.html(security_alert@emc.com)
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2018-1273(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.