Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://pivotal.io/security/cve-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2015-8854 Vulnerability in npm package marked
CVE-2020-12265 Vulnerability in maven package org.webjars.npm:decompress
CVE-2021-3827 Vulnerability in maven package org.keycloak:keycloak-server-spi-private
CVE-2019-10277 Vulnerability in maven package hudson.plugins:starteam
CVE-2015-8858 Vulnerability in maven package org.webjars.npm:uglify-js