Description

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Remediation

References

https://pivotal.io/security/cve-2017-8046

http://www.securityfocus.com/bid/100948

https://www.exploit-db.com/exploits/44289/

https://access.redhat.com/errata/RHSA-2018:2405

Related Vulnerabilities

CVE-2023-34981 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-34169 Vulnerability in maven package xalan:xalan

CVE-2022-36893 Vulnerability in maven package org.jenkins-ci.plugins:rpmsign-plugin

CVE-2018-1000067 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-oidc

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry