CVE-2018-1273

Name of the Vulnerable Software and Affected Versions Spring Data Commons versions prior to 1.13.10 Spring Data Commons versions 2.0 to 2.0.5 Spring Data Commons older unsupported versions

Description The issue is caused by improper neutralization of special elements, leading to a property binder vulnerability. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding, which can lead to a remote code execution attack. The vulnerability is related to insufficient input validation in the SimpleEvaluationContext class of the Spring Data Commons platform and the Spring Data REST framework.

Recommendations For Spring Data Commons versions prior to 1.13.10, update to version 1.13.10 or later. For Spring Data Commons versions 2.0 to 2.0.5, update to version 2.0.6 or later. For Spring Data Commons older unsupported versions, consider upgrading to a supported version and then applying the necessary updates. As a temporary workaround, consider restricting access to Spring Data REST backed HTTP resources and limiting the use of projection-based request payload binding until a patch is available.