CVE-2018-1273 — Spring Data Commons remote code injection vulnerability

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding that can lead to a remote code execution attack.

How to fix CVE-2018-1273

To remediate CVE-2018-1273, upgrade the affected package to a fixed version below.

—upgrade to 1.13.11 or later

Is CVE-2018-1273 being exploited?

Yes — CVE-2018-1273 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

>= 1.13.0, < 1.13.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-4fq3-mr56-cg6r
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1273
PATCHgithub.com/spring-projects/spring-data-commons
WEBmail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E