CVE-2018-1259

Name of the Vulnerable Software and Affected Versions Spring Data Commons versions 1.13 prior to 1.13.12 Spring Data Commons versions 2.0 prior to 2.0.7

Description The issue is caused by improper restriction of XML external entity references in the underlying library XMLBeam, which does not restrict external reference expansion. This allows an unauthenticated remote malicious user to supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Recommendations For Spring Data Commons versions 1.13 prior to 1.13.12, update to version 1.13.12 or later. For Spring Data Commons versions 2.0 prior to 2.0.7, update to version 2.0.7 or later. As a temporary workaround, consider restricting access to the XMLBeam library until a patch is available.