Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for spring_data_commons by broadcom
CVE-2018-1259 (GCVE-0-2018-1259)
Vulnerability from nvd – Published: 2018-05-11 20:00 – Updated: 2024-09-16 16:33
VLAI
Summary
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Severity
No CVSS data available.
CWE
- XML Parsing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2018:1809 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:3768 | vendor-advisoryx_refsource_REDHAT |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://pivotal.io/security/cve-2018-1259 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Pivotal | Spring Data Commons |
Affected:
1.13 prior to 1.13.12; 2.0 prior to 2.0.7
|
Date Public
2018-05-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:48.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:1809",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"name": "RHSA-2018:3768",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1259"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Data Commons",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.13 prior to 1.13.12; 2.0 prior to 2.0.7"
}
]
}
],
"datePublic": "2018-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data\u0027s projection-based request payload binding to access arbitrary files on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML Parsing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T17:57:52.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "RHSA-2018:1809",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"name": "RHSA-2018:3768",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1259"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2018-05-09T00:00:00",
"ID": "CVE-2018-1259",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Data Commons",
"version": {
"version_data": [
{
"version_value": "1.13 prior to 1.13.12; 2.0 prior to 2.0.7"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data\u0027s projection-based request payload binding to access arbitrary files on the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Parsing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:1809",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"name": "RHSA-2018:3768",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://pivotal.io/security/cve-2018-1259",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1259"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1259",
"datePublished": "2018-05-11T20:00:00.000Z",
"dateReserved": "2017-12-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:33:36.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1274 (GCVE-0-2018-1274)
Vulnerability from nvd – Published: 2018-04-18 16:00 – Updated: 2024-09-17 01:11
VLAI
Summary
Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/103769 | vdb-entryx_refsource_BID |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://pivotal.io/security/cve-2018-1274 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring by Pivotal | Spring Framework |
Affected:
Versions 1.13 to 1.13.10, 2.0 to 2.0.5
|
Date Public
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:49.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103769",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103769"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1274"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "Spring by Pivotal",
"versions": [
{
"status": "affected",
"version": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
}
]
}
],
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T17:58:14.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "103769",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103769"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1274"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2018-04-10T00:00:00",
"ID": "CVE-2018-1274",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
}
]
}
}
]
},
"vendor_name": "Spring by Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103769",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103769"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://pivotal.io/security/cve-2018-1274",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1274"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1274",
"datePublished": "2018-04-18T16:00:00.000Z",
"dateReserved": "2017-12-06T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:11:48.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1273 (GCVE-0-2018-1273)
Vulnerability from nvd – Published: 2018-04-11 13:00 – Updated: 2025-10-21 23:45
VLAI
CISA KEV
Summary
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Severity
9.8 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - - Code Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://mail-archives.apache.org/mod_mbox/ignite-d… | mailing-listx_refsource_MLIST |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://pivotal.io/security/cve-2018-1273 | x_refsource_CONFIRM |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring by Pivotal | Spring Framework |
Affected:
Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions
|
Date Public
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:48.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1273"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-1273",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:41:40.372134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:45:52.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00.000Z",
"value": "CVE-2018-1273 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "Spring by Pivotal",
"versions": [
{
"status": "affected",
"version": "Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions"
}
]
}
],
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data\u0027s projection-based request payload binding hat can lead to a remote code execution attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 - Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T17:58:04.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "[ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1273"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2018-04-10T00:00:00",
"ID": "CVE-2018-1273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions"
}
]
}
}
]
},
"vendor_name": "Spring by Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data\u0027s projection-based request payload binding hat can lead to a remote code execution attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 - Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://pivotal.io/security/cve-2018-1273",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1273"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1273",
"datePublished": "2018-04-11T13:00:00.000Z",
"dateReserved": "2017-12-06T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:45:52.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1259 (GCVE-0-2018-1259)
Vulnerability from cvelistv5 – Published: 2018-05-11 20:00 – Updated: 2024-09-16 16:33
VLAI
Summary
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Severity
No CVSS data available.
CWE
- XML Parsing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2018:1809 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:3768 | vendor-advisoryx_refsource_REDHAT |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://pivotal.io/security/cve-2018-1259 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Pivotal | Spring Data Commons |
Affected:
1.13 prior to 1.13.12; 2.0 prior to 2.0.7
|
Date Public
2018-05-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:48.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:1809",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"name": "RHSA-2018:3768",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1259"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Data Commons",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "1.13 prior to 1.13.12; 2.0 prior to 2.0.7"
}
]
}
],
"datePublic": "2018-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data\u0027s projection-based request payload binding to access arbitrary files on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML Parsing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T17:57:52.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "RHSA-2018:1809",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"name": "RHSA-2018:3768",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1259"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2018-05-09T00:00:00",
"ID": "CVE-2018-1259",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Data Commons",
"version": {
"version_data": [
{
"version_value": "1.13 prior to 1.13.12; 2.0 prior to 2.0.7"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data\u0027s projection-based request payload binding to access arbitrary files on the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Parsing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:1809",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"name": "RHSA-2018:3768",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://pivotal.io/security/cve-2018-1259",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1259"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1259",
"datePublished": "2018-05-11T20:00:00.000Z",
"dateReserved": "2017-12-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:33:36.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1274 (GCVE-0-2018-1274)
Vulnerability from cvelistv5 – Published: 2018-04-18 16:00 – Updated: 2024-09-17 01:11
VLAI
Summary
Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/103769 | vdb-entryx_refsource_BID |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://pivotal.io/security/cve-2018-1274 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring by Pivotal | Spring Framework |
Affected:
Versions 1.13 to 1.13.10, 2.0 to 2.0.5
|
Date Public
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:49.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103769",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103769"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1274"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "Spring by Pivotal",
"versions": [
{
"status": "affected",
"version": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
}
]
}
],
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T17:58:14.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "103769",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103769"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1274"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2018-04-10T00:00:00",
"ID": "CVE-2018-1274",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
}
]
}
}
]
},
"vendor_name": "Spring by Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103769",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103769"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://pivotal.io/security/cve-2018-1274",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1274"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1274",
"datePublished": "2018-04-18T16:00:00.000Z",
"dateReserved": "2017-12-06T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:11:48.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1273 (GCVE-0-2018-1273)
Vulnerability from cvelistv5 – Published: 2018-04-11 13:00 – Updated: 2025-10-21 23:45
VLAI
CISA KEV
Summary
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Severity
9.8 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - - Code Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://mail-archives.apache.org/mod_mbox/ignite-d… | mailing-listx_refsource_MLIST |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://pivotal.io/security/cve-2018-1273 | x_refsource_CONFIRM |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring by Pivotal | Spring Framework |
Affected:
Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions
|
Date Public
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:48.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2018-1273"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-1273",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:41:40.372134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:45:52.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00.000Z",
"value": "CVE-2018-1273 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "Spring by Pivotal",
"versions": [
{
"status": "affected",
"version": "Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions"
}
]
}
],
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data\u0027s projection-based request payload binding hat can lead to a remote code execution attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 - Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T17:58:04.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "[ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2018-1273"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2018-04-10T00:00:00",
"ID": "CVE-2018-1273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions"
}
]
}
}
]
},
"vendor_name": "Spring by Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data\u0027s projection-based request payload binding hat can lead to a remote code execution attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 - Code Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://pivotal.io/security/cve-2018-1273",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2018-1273"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1273",
"datePublished": "2018-04-11T13:00:00.000Z",
"dateReserved": "2017-12-06T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:45:52.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}