CVE-2018-1259 — Spring Data Commons, used in combination with XMLBeam, contains a property binde

Description

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

How to fix CVE-2018-1259

To remediate CVE-2018-1259, upgrade the affected package to a fixed version below.

—upgrade to 1.13.12 or later

Is CVE-2018-1259 being exploited?

Moderate — EPSS is 9.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 1.13.0, < 1.13.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYgithub.com/advisories/GHSA-m929-7fr6-cvjg
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1259
WEBaccess.redhat.com/errata/RHSA-2018:1809
WEBaccess.redhat.com/errata/RHSA-2018:3768
WEBpivotal.io