⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-15.

CVE-2018-1273

CWE-94 — Code Injection CWE-138 CWE-20 — Improper Input Validation11 documents10 sources

Severity

9.8CRITICAL

EPSS

94.3%

top 0.06%

CISA KEV

KEVRansomware

Added 2022-03-25

Due 2022-04-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Ignite Pivotal Software Spring Data Commons Pivotal Software Spring Data Rest +2 more

Timeline

PublishedApr 11

KEV addedMar 25

KEV dueApr 15

Latest updateJan 15

CISA Required Action: Apply updates per vendor instructions.

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶Mavenorg.springframework.data:spring-data-commons1.13.0 — 1.13.11+1

▶NVDpivotal_software/spring_data_rest2.6.0 — 2.6.10+2

▶NVDpivotal_software/spring_data_commons1.13.0 — 1.13.10+2

▶CVEListV5spring_by_pivotal/spring_frameworkVersions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions

▶NVDapache/ignite1.0.1 — 2.5.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Spring Data Commons remote code injection vulnerability↗2018-10-17

▶

GHSA

Spring Data Commons remote code injection vulnerability↗2018-10-17

▶

CVEList

CVE-2018-1273: Spring Data Commons, versions prior to 1↗2018-04-11

▶

VulnCheck

VMware Tanzu Spring Data Commons Property Binder Vulnerability↗2018

▶

💥Exploits & PoCs

Nuclei

Spring Data Commons - Remote Code Execution

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Studio (Spring Data Commons) — CVE-2018-1273↗2023-01-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Studio (Spring Data Commons) — CVE-2018-1273↗2022-07-15

▶

CISA

VMware Tanzu Spring Data Commons Property Binder Vulnerability↗2022-03-25

▶

Red Hat

spring-data-commons: Improper neutralization of special elements allow remote attackers to execute code via crafted requests↗2018-03-27

▶

💬Community

Bugzilla

CVE-2018-1273 spring-data-commons: Improper neutralization of special elements allow remote attackers to execute code via crafted requests↗2018-04-11

▶