CVE-2017-8046 — Remote code execution in PATCH requests in Spring Data REST

Description

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) can use specially crafted JSON data to run arbitrary Java code.

How to fix CVE-2017-8046

To remediate CVE-2017-8046, upgrade the affected package to a fixed version below.

Maven/org.springframework.data:spring-data-rest-core—upgrade to 2.6.9.RELEASE or later

Is CVE-2017-8046 being exploited?

Likely — EPSS is 94.0%, placing CVE-2017-8046 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 2.6.9.RELEASE

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-8046
PATCHgithub.com/spring-projects/spring-data-rest
WEBaccess.redhat.com/errata/RHSA-2018:2405
WEBbugzilla.redhat.com/show_bug.cgi?id=1553024
WEB