Property Binder Vulnerability in Spring Data Commons by Pivotal
CVE-2018-1273
Key Information:
- Vendor
Spring By Pivotal
- Status
- Vendor
- CVE Published:
- 11 April 2018
Badges
What is CVE-2018-1273?
Spring Data Commons contains a significant property binder vulnerability that arises from the improper handling of special elements in request parameters. This vulnerability can be exploited by an unauthenticated attacker, allowing them to send specially crafted requests to Spring Data REST-backed HTTP resources. Through this exploitation, it is possible for malicious users to execute arbitrary code remotely by leveraging projection-based request payload binding, potentially compromising the integrity and security of affected systems.
CISA has reported CVE-2018-1273
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2018-1273 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply updates per vendor instructions.
Affected Version(s)
Spring Framework Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
94% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved