Vulnerability Description
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Spring Data Commons | >= 1.13, <= 1.13.11 |
| Pivotal Software | Spring Data Rest | <= 2.6.11 |
| Xmlbeam | Xmlbeam | <= 1.4.14 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2018:1809Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:3768Third Party Advisory
- https://pivotal.io/security/cve-2018-1259Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://access.redhat.com/errata/RHSA-2018:1809Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:3768Third Party Advisory
- https://pivotal.io/security/cve-2018-1259Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.html
FAQ
What is CVE-2018-1259?
CVE-2018-1259 is a vulnerability with a CVSS score of 7.5 (HIGH). Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper res...
How severe is CVE-2018-1259?
CVE-2018-1259 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1259?
Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Data Commons, Pivotal Software Spring Data Rest, Xmlbeam Xmlbeam.