⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.
CVE-2017-8046
Severity
9.8CRITICAL
EPSS
94.0%
top 0.11%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedJan 4
Latest updateMay 13
Description
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages4 packages
▶CVEListV5pivotal/pivotal_spring_data_rest_and_spring_bootPivotal Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6
🔴Vulnerability Details
4CVEList▶
CVE-2017-8046: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2↗2018-01-04
💥Exploits & PoCs
2Exploit-DB▶
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution↗2018-03-15
Nuclei▶
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
📋Vendor Advisories
1Red Hat▶
spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code↗2018-03-06
💬Community
1Bugzilla▶
CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code↗2018-03-08