CVE-2018-1259
- Source
- https://cve.org/CVERecord?id=CVE-2018-1259
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1259.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-1259
- Aliases
- Published
- 2018-05-11T20:29:00.307Z
- Modified
- 2026-04-11T19:04:51.399312Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
- References
Affected packages
Git
github.com/spring-projects/spring-data-commons
Affected ranges
- Type
- GIT
- Repo
- https://github.com/spring-projects/spring-data-commons
- Events
-
IntroducedLast affectedIntroducedLast affectedIntroducedLast affected
- Database specific
{ "source": "CPE_FIELD", "extracted_events": [ { "introduced": "1.13" }, { "last_affected": "1.13.11" }, { "introduced": "2.0" }, { "last_affected": "2.0.6" }, { "introduced": "3.0" }, { "last_affected": "3.0.6" } ], "cpe": [ "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*" ] }
Affected versions
1.*
1.13.0.RELEASE
1.13.1.RELEASE
1.13.10.RELEASE
1.13.11.RELEASE
1.13.2.RELEASE
1.13.3.RELEASE
1.13.4.RELEASE
1.13.5.RELEASE
1.13.6.RELEASE
1.13.7.RELEASE
1.13.8.RELEASE
1.13.9.RELEASE
2.*
2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE
2.0.6.RELEASE
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
github.com/spring-projects/spring-data-rest
Affected ranges
- Type
- GIT
- Repo
- https://github.com/spring-projects/spring-data-rest
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "last_affected": "2.6.11" } ], "cpe": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*" }
Affected versions
2.*
2.0.0.M1
2.0.0.RC1
2.0.0.RELEASE
2.1.0.M1
2.1.0.RC1
2.1.0.RELEASE
2.2.0.M1
2.2.0.RC1
2.2.0.RELEASE
2.3.0.M1
2.3.0.RC1
2.3.0.RELEASE
2.4.0.M1
2.4.0.RC1
2.4.0.RELEASE
2.5.0.M1
2.5.0.RC1
2.5.0.RELEASE
2.6.0.M1
2.6.0.RC1
2.6.0.RELEASE
2.6.1.RELEASE
2.6.10.RELEASE
2.6.11.RELEASE
2.6.2.RELEASE
2.6.3.RELEASE
2.6.4.RELEASE
2.6.5.RELEASE
2.6.6.RELEASE
2.6.7.RELEASE
2.6.8.RELEASE
2.6.9.RELEASE
github.com/svenewald/xmlbeam
Affected ranges
- Type
- GIT
- Repo
- https://github.com/svenewald/xmlbeam
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "last_affected": "1.4.14" } ], "cpe": "cpe:2.3:a:xmlbeam:xmlbeam:*:*:*:*:*:*:*:*" }