cbcvebase.
CVE-2017-8046
published 2018-01-04

CVE-2017-8046: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot…

PriorityP193critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
72.78%
99.4th percentile
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Affected

16 ranges
VendorProductVersion rangeFixed in
pivotalpivotal_spring_data_rest_and_spring_boot
pivotal_softwarespring_data_rest
pivotal_softwarespring_data_rest
pivotal_softwarespring_data_rest
pivotal_softwarespring_data_rest
pivotal_softwarespring_data_rest
vmwarespring_boot< 1.5.91.5.9
vmwarespring_boot
vmwarespring_boot
vmwarespring_boot
vmwarespring_boot
vmwarespring_boot
vmwarespring_data_rest< 2.6.92.6.9
vmwarespring_data_rest
vmwarespring_data_rest
vmwarespring_data_rest

Detection & IOCsextracted from sources · hover to see the quote

otherContent-Type: application/json-patch+json
sigma
Detection: HTTP PATCH request with Content-Type application/json-patch+json containing SpEL expression T(java.lang.Runtime).getRuntime().exec in path field
  • Look for HTTP PATCH requests targeting Spring Data REST endpoints with Content-Type header set to 'application/json-patch+json', which is the required content type for exploitation.
  • Detect SpEL (Spring Expression Language) injection in the JSON 'path' field of PATCH requests — specifically patterns like T(java.lang.Runtime).getRuntime().exec(...) embedded in the path value.
  • Response bodies containing 'org.springframework' on a PATCH request error may indicate a vulnerable Spring Data REST instance that processed a malicious payload.
  • Scan for exposed Spring Eureka dashboards as a discovery pivot — vulnerable Spring Boot/Data REST services are commonly co-located with Eureka service registries.
  • Detect response headers indicating Spring Boot Actuator or HAL JSON content types, which fingerprint the vulnerable application stack.
  • ·Exploitation requires the target to expose a Spring Data REST-backed HTTP resource endpoint. The malicious PATCH request must target a valid resource path (e.g., /entity/1); the SpEL injection occurs in the JSON 'path' field of a JSON Patch document, not the URL path.
  • ·The Nuclei template dynamically discovers exploitable endpoints by first extracting HAL href links matching the pattern '?page,size,sort' from the root response, then targeting those endpoints — static endpoint assumptions may miss or misfire.
  • ·Red Hat OpenShift Application Runtimes (RHOAR) does not support Spring REST Data and is listed as Not Affected; detection rules should account for false positives on RHOAR deployments.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.