CVE-2018-1259
N/A
N/A
Summary
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Pivotal | Spring Data Commons | 1.13 prior to 1.13.12; 2.0 prior to 2.0.7 | affected |
Weaknesses
- XML Parsing
ADP Enrichment
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2018:1809
- https://access.redhat.com/errata/RHSA-2018:3768
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://pivotal.io/security/cve-2018-1259
References
- https://access.redhat.com/errata/RHSA-2018:1809
- https://access.redhat.com/errata/RHSA-2018:3768
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://pivotal.io/security/cve-2018-1259
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.