← Voltar para CVEs
CVE-2018-1273
CRITICALCISA KEV9.8
Descricao
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/11/2018
Ultima modificacao10/28/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorVMware Tanzu
ProdutoSpring Data Commons
Nome da vulnerabilidadeVMware Tanzu Spring Data Commons Property Binder Vulnerability
Data inclusao KEV2022-03-25
Prazo de remediacao2022-04-15
Uso em ransomwareKnown
Produtos afetados
apache:igniteoracle:financial_services_crime_and_compliance_management_studiopivotal_software:spring_data_commonspivotal_software:spring_data_rest
Fraquezas (CWE)
CWE-94
Referencias
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(security_alert@emc.com)
https://pivotal.io/security/cve-2018-1273(security_alert@emc.com)
https://www.oracle.com/security-alerts/cpujul2022.html(security_alert@emc.com)
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E(af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2018-1273(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.