7.5
CVSSv2

CVE-2018-1273

Published: 11/04/2018 Updated: 28/03/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Spring Data Commons, versions before 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheIgnite1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.3, 1.1.4, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.4, 1.7.0, 1.7.10, 1.8.0, 1.9.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0
Pivotal SoftwareSpring Data Commons1.12.10, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5
Pivotal SoftwareSpring Data Rest2.5.10, 2.6, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5

Vendor Advisories

Spring Data Commons, versions prior to 113 to 11310, 20 to 205, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or ...

Github Repositories

CVE-2018-1273 Spring Data Commons RCE 远程命令执行漏洞 usage C:\Users\CTF\Desktop>python cve-2018-1273py ______ ______ ___ ___ ______ ______ ________ / ___/ | / / __/___|_ |/ _ < ( _ )___< /_ /_ /_ / / /__ | |/ / _//___/ __// // / / _ /___/ / __/ / //_ < \___/ |___/___/ /____/\___/_/\___/ /_/____//_/____/

CVE-2018-1273 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2018-1273 Image author: githubcom/Medicean/VulApps/tree/master/s/spring/2

CVE-2018-1273 Environment for CVE-2018-1273 CVE-2018-1273: RCE with Spring Data Commons pivotalio/security/cve-2018-1273 Application githubcom/spring-projects/spring-data-examples/tree/master/web/example Build $ docker build -t cve-2018-1273 Run $ docker run -d -p 8080:8080 cve-2018-1273 Web localhost:8080/users/ Attack $ curl -v -d 'username[

CVE-2018-1273 Spring Data Commons, versions prior to 113 to 11310, 20 to 205, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Dat

CVE-2018-1273 Spring Data Commons, versions prior to 113 to 11310, 20 to 205, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Dat

IOC-Sharing IOC Public for community IDS (suricata/snort) rules for detection CVE-2019-0708 CVE-2018-1273 Data from TI Private and community

DISCLAIMER: This repository is supplementary to the VGS blog post, How to Avoid "Using Components with Known Vulnerabilities" It contains an application with a known security vulnerability (namely, CVE-2017-8046), as well as the description of how to exploit it Use the application at your own risk! Setting Up First, start the application by executing the following c

我的漏洞复现记录(持续更新中) CVE-NO STATUS RESULT REFERENCE 中间件漏洞 Tomcat 7086 CVE-2016-5003 FINISH FAIL 0ang3elblogspotru/2016/07/beware-of-ws-xmlrpc-library-in-yourhtml CVE-2016-5002 FINISH PASS 0ang3elblogspotru/2016/07/beware-of-ws-xmlrpc-library-in-yourhtml 8036 CVE-2016-8735 FINISH PASS gv7me/articles

gocarts(go-CERT-alerts-summarizer) gocarts checks alerts of X-CERT (eg JPCERT, US-CERT) This project refers to knqyf263/gost Abstract gocarts is written in Go, and therefore you can just grab the binary releases and drop it in your $PATH gocarts summarizes alerts by CVE ID You can search alert's detail by CVE ID Main features gocarts has the following features S

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :