Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1259

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Published

2018-05-11T20:29:00.307

Last Modified

2024-11-21T03:59:29.177

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

10.0

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-611
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application pivotal_software spring_data_commons ≤ 1.13.11 Yes
Application pivotal_software spring_data_commons ≤ 2.0.6 Yes
Application pivotal_software spring_data_rest ≤ 2.6.11 Yes
Application pivotal_software spring_data_rest ≤ 3.0.6 Yes
Application xmlbeam xmlbeam ≤ 1.4.14 Yes
References