CVE-2018-1273
Published: 11 April 2018
Summary
CVE-2018-1273 is a critical-severity Code Injection (CWE-94) vulnerability in Pivotal Software Spring Data Commons. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Spring Data Commons versions prior to 1.13.10 and 2.0.5, along with older unsupported releases, contain a property binder vulnerability stemming from improper neutralization of special elements. The flaw resides in the component responsible for binding request data and affects Spring Data REST HTTP resources as well as projection-based request payload handling.
An unauthenticated remote attacker can supply crafted request parameters to trigger the issue, resulting in remote code execution with full confidentiality, integrity, and availability impact. The vulnerability carries a CVSS 3.1 score of 9.8 under the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is associated with CWE-94.
Pivotal and Oracle advisories direct users to upgrade to the fixed releases 1.13.10 or 2.0.5; the same guidance appears in related Apache project mailing-list discussions referencing the CVE. No information on observed in-the-wild exploitation is provided in the source material.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-0500
Vulnerability details
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request…
more
parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input parameters before binding, blocking the crafted payloads that trigger RCE in the Spring Data property binder.
Enforces access-control decisions on Spring Data REST endpoints so that unauthenticated remote attackers cannot reach the vulnerable binding logic.
Mandates timely installation of security-relevant patches, directly addressing the upgrade to Spring Data Commons 1.13.10 / 2.0.5 that eliminates the flaw.