Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Published

2018-01-04T06:29:00.307

Last Modified

2024-11-21T03:33:12.757

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-20
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application vmware spring_boot < 1.5.9 Yes
Application vmware spring_boot 2.0.0 Yes
Application vmware spring_boot 2.0.0 Yes
Application vmware spring_boot 2.0.0 Yes
Application vmware spring_boot 2.0.0 Yes
Application vmware spring_boot 2.0.0 Yes
Application pivotal_software spring_data_rest < 2.6.9 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
Application pivotal_software spring_data_rest 3.0.0 Yes
References