CVE-2018-1273

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:ignite:1.0.0:rc3:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*

History

16 Jul 2024, 17:53

Type Values Removed Values Added
CPE cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
First Time Oracle financial Services Crime And Compliance Management Studio
Oracle
CWE CWE-20 CWE-74
References () https://www.oracle.com/security-alerts/cpujul2022.html - () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

Information

Published : 2018-04-11 13:29

Updated : 2024-07-16 17:53


NVD link : CVE-2018-1273

Mitre link : CVE-2018-1273

CVE.ORG link : CVE-2018-1273


JSON object : View

Products Affected

pivotal_software

  • spring_data_commons
  • spring_data_rest

oracle

  • financial_services_crime_and_compliance_management_studio

apache

  • ignite
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')