cnvd - cnvd-2018-07567

cnvd-2018-07567

Vulnerability from cnvd

Title: Spring Data Commons拒绝服务漏洞

Description:

Spring Data是Spring框架中提供底层数据访问的项目模块，Spring Data Commons是一个共用的基础模块。

Spring Data Commons存在拒绝服务漏洞。由于Spring Data Commons模块在解析属性路径时未限制资源分配，导致攻击者可以通过消耗CPU和内存资源来进行拒绝服务攻击。

Severity: 中

Patch Name: Spring Data Commons拒绝服务漏洞的补丁

Patch Description:

Spring Data是Spring框架中提供底层数据访问的项目模块，Spring Data Commons是一个共用的基础模块。

Spring Data Commons存在拒绝服务漏洞。由于Spring Data Commons模块在解析属性路径时未限制资源分配，导致攻击者可以通过消耗CPU和内存资源来进行拒绝服务攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下供应商提供的安全公告获得补丁信息： https://pivotal.io/security/cve-2018-1274

Reference: https://pivotal.io/security/cve-2018-1274

Impacted products

Name
['Pivotal Software Spring Data Commons >=1.13，<=1.13.10 (Ingalls SR10)', 'Pivotal Software Spring Data Commons >=2.0，<=2.0.5 (Kay SR5)', 'Pivotal Software Spring Data REST >=2.6，<=2.6.10 (Ingalls SR10)', 'Pivotal Software Spring Data REST >=3.0，<=3.0.5 (Kay SR5)']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1274"
    }
  },
  "description": "Spring Data\u662fSpring\u6846\u67b6\u4e2d\u63d0\u4f9b\u5e95\u5c42\u6570\u636e\u8bbf\u95ee\u7684\u9879\u76ee\u6a21\u5757\uff0cSpring Data Commons\u662f\u4e00\u4e2a\u5171\u7528\u7684\u57fa\u7840\u6a21\u5757\u3002\r\n\r\nSpring Data Commons\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u7531\u4e8eSpring Data Commons\u6a21\u5757\u5728\u89e3\u6790\u5c5e\u6027\u8def\u5f84\u65f6\u672a\u9650\u5236\u8d44\u6e90\u5206\u914d\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6d88\u8017CPU\u548c\u5185\u5b58\u8d44\u6e90\u6765\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "discovererName": "Yevhenii Hrushka (Yevgeniy Grushka), Fortify Webinspect",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://pivotal.io/security/cve-2018-1274",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-07567",
  "openTime": "2018-04-12",
  "patchDescription": "Spring Data\u662fSpring\u6846\u67b6\u4e2d\u63d0\u4f9b\u5e95\u5c42\u6570\u636e\u8bbf\u95ee\u7684\u9879\u76ee\u6a21\u5757\uff0cSpring Data Commons\u662f\u4e00\u4e2a\u5171\u7528\u7684\u57fa\u7840\u6a21\u5757\u3002\r\n\r\nSpring Data Commons\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u7531\u4e8eSpring Data Commons\u6a21\u5757\u5728\u89e3\u6790\u5c5e\u6027\u8def\u5f84\u65f6\u672a\u9650\u5236\u8d44\u6e90\u5206\u914d\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6d88\u8017CPU\u548c\u5185\u5b58\u8d44\u6e90\u6765\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Spring Data Commons\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal Software Spring Data Commons \u003e=1.13\uff0c\u003c=1.13.10 (Ingalls SR10)",
      "Pivotal Software Spring Data Commons \u003e=2.0\uff0c\u003c=2.0.5 (Kay SR5)",
      "Pivotal Software Spring Data REST \u003e=2.6\uff0c\u003c=2.6.10 (Ingalls SR10)",
      "Pivotal Software Spring Data REST \u003e=3.0\uff0c\u003c=3.0.5 (Kay SR5)"
    ]
  },
  "referenceLink": "https://pivotal.io/security/cve-2018-1274",
  "serverity": "\u4e2d",
  "submitTime": "2018-04-12",
  "title": "Spring Data Commons\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2018-1274 (GCVE-0-2018-1274)

Vulnerability from cvelistv5

Published

2018-04-18 16:00

Modified

2024-09-17 01:11

Severity ?

CWE

Denial of Service

Summary

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

References

▼	URL	Tags
	http://www.securityfocus.com/bid/103769	vdb-entry, x_refsource_BID
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://pivotal.io/security/cve-2018-1274	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Spring by Pivotal	Spring Framework	Version: Versions 1.13 to 1.13.10, 2.0 to 2.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:51:49.173Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "103769",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103769"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2018-1274"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Framework",
          "vendor": "Spring by Pivotal",
          "versions": [
            {
              "status": "affected",
              "version": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
            }
          ]
        }
      ],
      "datePublic": "2018-04-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-22T17:58:14",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "103769",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103769"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2018-1274"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "DATE_PUBLIC": "2018-04-10T00:00:00",
          "ID": "CVE-2018-1274",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Framework",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring by Pivotal"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "103769",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103769"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "https://pivotal.io/security/cve-2018-1274",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2018-1274"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2018-1274",
    "datePublished": "2018-04-18T16:00:00Z",
    "dateReserved": "2017-12-06T00:00:00",
    "dateUpdated": "2024-09-17T01:11:48.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted