CVE-2018-1274

CWE-770 — Allocation without Limits CWE-1387 documents6 sources

Severity

7.5HIGH

EPSS

1.0%

top 23.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Spring Data Commons Pivotal Software Spring Data Rest Spring BY Pivotal Spring Framework

Timeline

PublishedApr 18

Latest updateOct 17

Description

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDpivotal_software/spring_data_commons2.0.0 — 2.0.6+1

▶Mavenorg.springframework.data:spring-data-commons2.0.0 — 2.0.6+1

▶NVDpivotal_software/spring_data_rest2.6 — 2.6.10+1

▶CVEListV5spring_by_pivotal/spring_frameworkVersions 1.13 to 1.13.10, 2.0 to 2.0.5

🔴Vulnerability Details

GHSA

Spring Data Commons contain a property path parser vulnerability caused by unlimited resource allocation↗2018-10-17

▶

OSV

Spring Data Commons contain a property path parser vulnerability caused by unlimited resource allocation↗2018-10-17

▶

CVEList

CVE-2018-1274: Spring Data Commons, versions 1↗2018-04-18

▶

📋Vendor Advisories

Red Hat

spring-data-commons: Unlimited path depth in PropertyPath.java allow remote attackers to cause a denial of service↗2018-04-04

▶

💬Community

Bugzilla

CVE-2018-1274 spring-data-commons: Unlimited path depth in PropertyPath.java allow remote attackers to cause a denial of service↗2018-04-11

▶

Bugzilla

CVE-2018-1274 springframework-data-commons: spring-data-commons: Unlimited path depth in PropertyPath.java allow remote attackers to cause a denial of service [fedora-all]↗2018-04-11

▶