CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2018-1273

CVSS 9.8v3.1pub. 2018-04-11upd. 2026-06-26

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Ignite

    APP
    Apache
    1.0.01.0.1 – 2.5.0
  • Broadcom Spring Data Commons

    APP
    Broadcom
    1.13.0 – 1.13.102.0.0 – 2.0.5≤ 1.12.10
  • Oracle Financial Services Crime And Compliance Management Studio

    APP
    Oracle
    8.0.8.2.08.0.8.3.0
  • Pivotal Software Spring Data Rest

    APP
    Pivotal Software
    3.0.0 – 3.0.5
  • VMware Spring Data Rest

    APP
    Vmware
    2.6.0 – 2.6.10≤ 2.5.10

CISA KEV — detailsi

Vendori
VMware Tanzu
Producti
Spring Data Commons
Added to KEVi
March 25, 2022
Remediation deadline (US Federal)i
April 15, 2022(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 15 kwietnia 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-52577CRITICAL9.5PL ✓ten sam produkt

Apache Ignite: pominięcie filtrów deserializacji umożliwia RCE

CVE-2022-22978CRITICAL9.8ten sam produkt

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatc...

CVE-2021-41303CRITICAL9.8ten sam produkt

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may caus...

CVE-2020-1963CRITICAL9.1ten sam produkt

Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which coul...

CVE-2018-8018CRITICAL9.8ten sam produkt

In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of clas...