Description

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Remediation

References

https://pivotal.io/security/cve-2017-8046

http://www.securityfocus.com/bid/100948

https://www.exploit-db.com/exploits/44289/

https://access.redhat.com/errata/RHSA-2018:2405

Related Vulnerabilities

CVE-2023-48240 Vulnerability in maven package org.xwiki.platform:xwiki-platform-diff-xml

CVE-2021-39109 Vulnerability in npm package atlasboard

CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bc-fips

CVE-2014-0086 Vulnerability in maven package org.richfaces.core:richfaces-core-impl

CVE-2020-2269 Vulnerability in maven package org.jenkins-ci.plugins:chosen-views-tabbar

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry