CVE-2018-1259

CWE-611XML External Entity (XXE)7 documents6 sources
Severity
7.5HIGH
EPSS
9.8%
top 7.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Pivotal Software Spring Data CommonsPivotal Software Spring Data RestXmlbeam Xmlbeam+1 more
Timeline
PublishedMay 11
Latest updateOct 17

Description

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files o

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDpivotal_software/spring_data_commons1.131.13.11+1
CVEListV5pivotal/spring_data_commons1.13 prior to 1.13.12; 2.0 prior to 2.0.7
NVDxmlbeam/xmlbeam1.4.14

🔴Vulnerability Details

3
GHSA
Spring Data Commons, used in combination with XMLBeam, contains a property binder vulnerability caused by improper restriction of XML external entity references2018-10-17
OSV
Spring Data Commons, used in combination with XMLBeam, contains a property binder vulnerability caused by improper restriction of XML external entity references2018-10-17
CVEList
CVE-2018-1259: Spring Data Commons, versions 12018-05-11

📋Vendor Advisories

1
Red Hat
spring-data-commons: XXE with Spring Data’s XMLBeam integration2018-05-09

💬Community

2
Bugzilla
CVE-2018-1259 springframework-data-commons: spring-data-commons: XXE with Spring Data’s XMLBeam integration [fedora-all]2018-05-16
Bugzilla
CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration2018-05-16
CVE-2018-1259 (HIGH CVSS 7.5) | Spring Data Commons | cvebase.io