CVE-2018-1273
KEV
🔴 Łataj teraz
Luka w Spring Data Commons pozwala na zdalne wykonanie kodu przez nieautoryzowanego użytkownika.
CVSS
9.8
EPSS
95.7%
Exploit
weaponized
Vendor
apache
Opis źródłowy (NVD)
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 95.7% |
| Opublikowano (NVD) | 2018-04-11 13:29:00 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-26 18:44:14 UTC |
Referencje
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E (security_alert@emc.com) [Mailing List, Third Party Advisory]
- https://pivotal.io/security/cve-2018-1273 (security_alert@emc.com) [Vendor Advisory]
- https://www.oracle.com/security-alerts/cpujul2022.html (security_alert@emc.com) [Patch, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]