GHSA-4fq3-mr56-cg6r

Suggest an improvement
Source
https://github.com/advisories/GHSA-4fq3-mr56-cg6r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4fq3-mr56-cg6r/GHSA-4fq3-mr56-cg6r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4fq3-mr56-cg6r
Aliases
Published
2018-10-17T17:23:24Z
Modified
2024-03-20T14:30:52.766438Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Spring Data Commons remote code injection vulnerability
Details

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding that can lead to a remote code execution attack.

Database specific
{
    "nvd_published_at": "2018-04-11T13:29:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:58:14Z"
}
References

Affected packages

Maven / org.springframework.data:spring-data-commons

Package

Name
org.springframework.data:spring-data-commons
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.data/spring-data-commons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.13.0
Fixed
1.13.11

Affected versions

1.*

1.13.0.RELEASE
1.13.1.RELEASE
1.13.2.RELEASE
1.13.3.RELEASE
1.13.4.RELEASE
1.13.5.RELEASE
1.13.6.RELEASE
1.13.7.RELEASE
1.13.8.RELEASE
1.13.9.RELEASE
1.13.10.RELEASE

Maven / org.springframework.data:spring-data-commons

Package

Name
org.springframework.data:spring-data-commons
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.data/spring-data-commons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.6

Affected versions

2.*

2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE