CVE-2017-8046: RCE in PATCH requests in Spring Data REST
Spring by Pivotal
Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.
Severity is critical unless otherwise noted.
- Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot versions prior to 2.0.0M4
- Spring Data release trains prior to Kay-RC3
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot 2.0.0.M4
- Spring Data release train Kay-RC3
This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.
2017-09-21: Initial vulnerability report published