Cyber Resilience

CVE-2018-1273

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 11 April 2018

Published
11 April 2018
Modified
28 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9429 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-1273 is a critical-severity Code Injection (CWE-94) vulnerability in Pivotal Software Spring Data Commons. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Spring Data Commons versions prior to 1.13.10 and 2.0.5, along with older unsupported releases, contain a property binder vulnerability stemming from improper neutralization of special elements. The flaw resides in the component responsible for binding request data and affects Spring Data REST HTTP resources as well as projection-based request payload handling.

An unauthenticated remote attacker can supply crafted request parameters to trigger the issue, resulting in remote code execution with full confidentiality, integrity, and availability impact. The vulnerability carries a CVSS 3.1 score of 9.8 under the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is associated with CWE-94.

Pivotal and Oracle advisories direct users to upgrade to the fixed releases 1.13.10 or 2.0.5; the same guidance appears in related Apache project mailing-list discussions referencing the CVE. No information on observed in-the-wild exploitation is provided in the source material.

EU & UK References

Vulnerability details

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request…

more

parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pivotal software
spring data commons
≤ 1.12.10 · 1.13.0 — 1.13.10 · 2.0.0 — 2.0.5
pivotal software
spring data rest
≤ 2.5.10 · 2.6.0 — 2.6.10 · 3.0.0 — 3.0.5
apache
ignite
1.0.0 · 1.0.1 — 2.5.0
oracle
financial services crime and compliance management studio
8.0.8.2.0, 8.0.8.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input parameters before binding, blocking the crafted payloads that trigger RCE in the Spring Data property binder.

prevent

Enforces access-control decisions on Spring Data REST endpoints so that unauthenticated remote attackers cannot reach the vulnerable binding logic.

prevent

Mandates timely installation of security-relevant patches, directly addressing the upgrade to Spring Data Commons 1.13.10 / 2.0.5 that eliminates the flaw.

References