CVE-2018-1259

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1259
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1259.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-1259
Aliases
Published
2018-05-11T20:29:00Z
Modified
2024-10-12T03:09:32.030149Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

References

Affected packages

Git / github.com/spring-projects/spring-data-commons

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-data-commons
Events
Type
GIT
Repo
https://github.com/spring-projects/spring-data-rest
Events
Type
GIT
Repo
https://github.com/svenewald/xmlbeam
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

1.*

1.0
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.13.0.RELEASE
1.13.1.RELEASE
1.13.10.RELEASE
1.13.11.RELEASE
1.13.2.RELEASE
1.13.3.RELEASE
1.13.4.RELEASE
1.13.5.RELEASE
1.13.6.RELEASE
1.13.7.RELEASE
1.13.8.RELEASE
1.13.9.RELEASE
1.2.0
1.2.1
1.3.0
1.4.0
1.4.1
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9

2.*

2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE
2.0.6.RELEASE
2.1.0.M1
2.1.0.M2
2.1.0.M3
2.1.0.RC1
2.1.0.RC2
2.1.0.RELEASE
2.2.0.M1
2.2.0.M2
2.2.0.M3
2.2.0.M4
2.2.0.RC1
2.2.0.RC2
2.2.0.RC3
2.2.0.RELEASE
2.3.0.M1
2.3.0.M2
2.3.0.M3
2.3.0.M4
2.3.0.RC1
2.3.0.RC2
2.3.0.RELEASE
2.4.0
2.4.0-M1
2.4.0-M2
2.4.0-RC1
2.4.0-RC2
2.5.0
2.5.0-M1
2.5.0-M2
2.5.0-M3
2.5.0-M4
2.5.0-M5
2.5.0-RC1
2.6.0
2.6.0-M1
2.6.0-M2
2.6.0-M3
2.6.0-RC1

3.*

3.0.0
3.0.0-M1
3.0.0-M2
3.0.0-M3
3.0.0-M4
3.0.0-M5
3.0.0-M6
3.0.0-RC1
3.0.0-RC2
3.0.0.RELEASE
3.0.1
3.0.1.RELEASE
3.0.2
3.0.2.RELEASE
3.0.3
3.0.3.RELEASE
3.0.4
3.0.4.RELEASE
3.0.5
3.0.5.RELEASE
3.0.6
3.0.6.RELEASE

Other

before_master_reset_for_exceptionFeature
before_single_visitor_switch