CVE-2017-8046
published 2018-01-04CVE-2017-8046: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot…
PriorityP193critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
72.78%
99.4th percentile
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotal | pivotal_spring_data_rest_and_spring_boot | — | — |
| pivotal_software | spring_data_rest | — | — |
| pivotal_software | spring_data_rest | — | — |
| pivotal_software | spring_data_rest | — | — |
| pivotal_software | spring_data_rest | — | — |
| pivotal_software | spring_data_rest | — | — |
| vmware | spring_boot | < 1.5.9 | 1.5.9 |
| vmware | spring_boot | — | — |
| vmware | spring_boot | — | — |
| vmware | spring_boot | — | — |
| vmware | spring_boot | — | — |
| vmware | spring_boot | — | — |
| vmware | spring_data_rest | < 2.6.9 | 2.6.9 |
| vmware | spring_data_rest | — | — |
| vmware | spring_data_rest | — | — |
| vmware | spring_data_rest | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Detection: HTTP PATCH request with Content-Type application/json-patch+json containing SpEL expression T(java.lang.Runtime).getRuntime().exec in path field
- →Look for HTTP PATCH requests targeting Spring Data REST endpoints with Content-Type header set to 'application/json-patch+json', which is the required content type for exploitation. ↗
- →Detect SpEL (Spring Expression Language) injection in the JSON 'path' field of PATCH requests — specifically patterns like T(java.lang.Runtime).getRuntime().exec(...) embedded in the path value. ↗
- →Response bodies containing 'org.springframework' on a PATCH request error may indicate a vulnerable Spring Data REST instance that processed a malicious payload. ↗
- →Scan for exposed Spring Eureka dashboards as a discovery pivot — vulnerable Spring Boot/Data REST services are commonly co-located with Eureka service registries. ↗
- →Detect response headers indicating Spring Boot Actuator or HAL JSON content types, which fingerprint the vulnerable application stack. ↗
- ·Exploitation requires the target to expose a Spring Data REST-backed HTTP resource endpoint. The malicious PATCH request must target a valid resource path (e.g., /entity/1); the SpEL injection occurs in the JSON 'path' field of a JSON Patch document, not the URL path. ↗
- ·The Nuclei template dynamically discovers exploitable endpoints by first extracting HAL href links matching the pattern '?page,size,sort' from the root response, then targeting those endpoints — static endpoint assumptions may miss or misfire. ↗
- ·Red Hat OpenShift Application Runtimes (RHOAR) does not support Spring REST Data and is listed as Not Affected; detection rules should account for false positives on RHOAR deployments. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote code execution in PATCH requests in Spring Data REST
osv·2022-05-13
CVE-2017-8046 [CRITICAL] Remote code execution in PATCH requests in Spring Data REST
Remote code execution in PATCH requests in Spring Data REST
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) can use specially crafted JSON data to run arbitrary Java code.
GHSA
Remote code execution in PATCH requests in Spring Data REST
ghsa·2022-05-13
CVE-2017-8046 [CRITICAL] CWE-20 Remote code execution in PATCH requests in Spring Data REST
Remote code execution in PATCH requests in Spring Data REST
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) can use specially crafted JSON data to run arbitrary Java code.
VulnCheck
VMware Spring Framework Improper Input Validation
vulncheck·2017·CVSS 9.8
CVE-2017-8046 [CRITICAL] VMware Spring Framework Improper Input Validation
VMware Spring Framework Improper Input Validation
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Affected: VMware Spring Framework
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortinet.com/blog/threat-research/closer-look-satan-ransomwares-propagation-technics; https://cyware.com/news/satan-ransomware-an-overview-of-the-ransomwares-variants-and-exploits-35acecd3; https://web.archive.org/web/202202270
Red Hat
spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
vendor_redhat·2018-03-06·CVSS 9.8
CVE-2017-8046 [CRITICAL] spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Statement: While there might be compatibility issues upgrading Spring REST Data independently of the Spring Boot version we recommend that customers make sure they are using a fixed version of Spring Data REST 2.6.9, or 3.0.1. RHOAR has now upgraded to version 1.5.10 of Spring Boot which is compatible with fixed versions of Spring DATA Rest.
Package: spring-boot (Red Hat OpenShift Application Runtimes) - Not affected
No detection rules found.
Exploit-DB
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
exploitdb·2018-03-15·CVSS 9.8
CVE-2017-8046 [CRITICAL] Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Spring Data REST 0) {
for (int i = 0; i args.length - 1) {
throw new IllegalArgumentException("URL must be passed.");
}
o.setUrl(args[++i]);
} else if ("-cmd".equals(p) || "--command".equals(p)) {
if (i + 1 > args.length - 1) {
throw new IllegalArgumentException("Command must be passed.");
}
o.setCommand(args[++i]);
} else if ("--cookies".equals(p)) {
if (i + 1 > args.length - 1) {
throw new IllegalArgumentException("Cookies must be passed, if specified.");
}
o.setCookies(args[++i]);
} else if ("--clean".equals(p)) {
o.setCleanResponse(true);
} else if ("-v".equals(p) || "--verbose".equals(p)) {
o.setVerbose(true);
}
}
// Performing the exploit.
o.exploit();
} else { // Wrong number of arguments.
SpringBreakCve20178046.help();
return;
}
} catch (URISyntaxException use) {
System.ou
Nuclei
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-8046 [CRITICAL] Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests.
Template:
id: CVE-2017-8046
info:
name: Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
author: domwhewell-sage
severity: critical
description: |
Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending
Fortinet
A Closer Look at Satan Ransomware’s Propagation Techniques
blogs_fortinet·2019-05-20·CVSS 5.3
[MEDIUM] A Closer Look at Satan Ransomware’s Propagation Techniques
FORTIGUARD LABS THREAT RESEARCH
A Closer Look at Satan Ransomware’s Propagation Techniques
By David Maciejak and Floser Bacurio Jr. | May 20, 2019
FortiGuard Labs Breaking Threat Research
Satan ransomware first appeared in early 2017, and since then threat actors have been constantly improving the malware to infect its victims more effectively and to maximize its profits. For instance, FortiGuard Labs has discovered a campaign which was also utilizing a cryptominer malware as an additional payload to maximize its profits from its victims.
Aside from the fact that this file-encrypting malware targets both Linux and Windows platform, it also employs numerous vulnerabilities to propagate itself through public and external networks. In fact, FortiGuard Labs has discovered a new variant t
Greynoiseio
NoiseLetter August 2025
blogs_greynoiseio
NoiseLetter August 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
bugzilla·2018-03-08·CVSS 9.8
CVE-2017-8046 [CRITICAL] CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.
Discussion:
Spring REST Data is not supported in RHOAR.
Please be sure to select a version of Spring REST Data which is not affected by this issue.
Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
---
Statement:
While there might be compatibility issues upgrading Spring REST Data independently of the Spring Boot version we recommend that customers make sure they are using a fixed version of Spring Data REST 2.6.9, or 3.0.1. RHOAR has now upgrad
http://www.securityfocus.com/bid/100948https://access.redhat.com/errata/RHSA-2018:2405https://pivotal.io/security/cve-2017-8046https://www.exploit-db.com/exploits/44289/http://www.securityfocus.com/bid/100948https://access.redhat.com/errata/RHSA-2018:2405https://pivotal.io/security/cve-2017-8046https://www.exploit-db.com/exploits/44289/
2018-01-04
Published
Exploited in the wild