Vulnerability CVE-2017-8046
Published: 2018-01-04

Description:
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

See advisories in our WLB2 database:
Topic
Author
Date
High
Spring Data REST < 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) PATCH Request Remote Code Execution
Antonio Francesc...
16.03.2018

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Pivotal software -> Spring data rest 
Pivotal software -> Spring boot 

 References:
http://www.securityfocus.com/bid/100948
https://access.redhat.com/errata/RHSA-2018:2405
https://pivotal.io/security/cve-2017-8046
https://www.exploit-db.com/exploits/44289/
Copyright 2024, cxsecurity.com

 

Back to Top