Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
https://pivotal.io/security/cve-2018-1273
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2019-1003034 Vulnerability in maven package org.jenkins-ci.plugins:job-dsl
CVE-2023-40014 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts
CVE-2023-22457 Vulnerability in maven package org.xwiki.contrib:application-ckeditor-ui
CVE-2023-31062 Vulnerability in maven package org.apache.inlong:manager-pojo