Property Path Parser Vulnerability in Spring Data Commons by Pivotal
CVE-2018-1274

7.5HIGH

Key Information:

Vendor: Spring By Pivotal
Status: Spring Framework
Vendor: CVE Published:; 18 April 2018

What is CVE-2018-1274?

The property path parser vulnerability in Spring Data Commons allows an unauthenticated remote attacker to exploit endpoints utilizing property path parsing. By sending specially crafted requests, the attacker can trigger excessive CPU and memory consumption, ultimately leading to denial of service. This affects multiple versions of the product including 1.13 to 1.13.10 and 2.0 to 2.0.5, as well as older, unsupported versions. Organizations using Spring Data Commons should implement necessary updates to mitigate this risk.

Affected Version(s)

Spring Framework Versions 1.13 to 1.13.10, 2.0 to 2.0.5

References

http://www.securityfocus.com/bid/103769

vdb-entryx_refsource_BID

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

https://pivotal.io/security/cve-2018-1274

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 18, 2018
Vulnerability Reserved
Dec 6, 2017

Spring By Pivotal

What is CVE-2018-1274?

Affected Version(s)

References

CVSS V3.1

Timeline