CVE Catalog

Actively exploited in the wild

VMware Tanzu Spring Data Commons Property Binder Vulnerability

VMware Tanzu — Spring Data Commons · Listed in the CISA KEV since 2022-03-25. This indicates confirmed attacks in production environments.

Required action: Apply updates per vendor instructions.

CVE-2018-1273

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
95.65%

100th percentile — higher than 100% of all known CVEs

Summary

Vulnerability in Spring Data Commons (versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions) due to improper neutralization of special elements in the property binder. An unauthenticated remote attacker can supply specially crafted request parameters against Spring Data REST backed HTTP resources or use Spring Data's projection-based request payload binding, leading to remote code execution.

Risk Assessment

The risk for the organization includes the possibility of remote code execution by an unauthenticated attacker, potentially leading to full server compromise, data theft, or service disruption.

Recommendation

Immediately update Spring Data Commons to version 1.13.11 or 2.0.6 or later. If updating is not possible, restrict access to Spring Data REST resources to trusted networks and users only.

Original NVD description (English source)

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS