Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://pivotal.io/security/cve-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2020-2283 Vulnerability in maven package org.jenkins-ci.plugins:liquibase-runner
CVE-2020-2257 Vulnerability in maven package org.jenkins-ci.plugins:validating-string-parameter
CVE-2022-43402 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps
CVE-2020-2218 Vulnerability in maven package org.jenkins-ci.plugins:hp-quality-center