CVE-2018-1273

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:ignite:1.0.0:rc3:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:59

Type Values Removed Values Added
References () http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E - Mailing List, Third Party Advisory () http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E - Mailing List, Third Party Advisory
References () https://pivotal.io/security/cve-2018-1273 - Vendor Advisory () https://pivotal.io/security/cve-2018-1273 - Vendor Advisory
References () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

16 Jul 2024, 17:53

Type Values Removed Values Added
CPE cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
First Time Oracle financial Services Crime And Compliance Management Studio
Oracle
CWE CWE-20 CWE-74
References () https://www.oracle.com/security-alerts/cpujul2022.html - () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

Information

Published : 2018-04-11 13:29

Updated : 2024-11-21 03:59


NVD link : CVE-2018-1273

Mitre link : CVE-2018-1273

CVE.ORG link : CVE-2018-1273


JSON object : View

Products Affected

pivotal_software

  • spring_data_commons
  • spring_data_rest

apache

  • ignite

oracle

  • financial_services_crime_and_compliance_management_studio
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')