All Vulnerability Reports

CVE-2017-8046: RCE in PATCH requests in Spring Data REST


Severity

Critical

Vendor

Spring by Pivotal

Description

Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.

Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3
  • Spring Boot versions prior to 2.0.0M4
  • Spring Data release trains prior to Kay-RC3
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
    • Spring Boot 2.0.0.M4
    • Spring Data release train Kay-RC3
Credit

This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.

References
History

2017-09-21: Initial vulnerability report published