Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
https://pivotal.io/security/cve-2018-1273
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2023-49372 Vulnerability in maven package com.jfinal:jfinal
CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-broker
CVE-2022-42920 Vulnerability in maven package org.apache.bcel:bcel
CVE-2021-20293 Vulnerability in maven package org.jboss.resteasy:resteasy-core
CVE-2023-43123 Vulnerability in maven package org.apache.storm:storm-core