Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1259 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 7.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 7 | RHSA-2018:3768 | 2018-12-04 |
| Red Hat OpenShift Application Runtimes 1.0 | RHSA-2018:1809 | 2018-06-07 |
| Platform | Package | State |
|---|---|---|
| Red Hat Mobile Application Platform On-Premise 4 | spring-data-commons | Not affected |
| Red Hat JBoss Fuse 6 | spring-data-commons | Not affected |
Vulmon