CVE-2018-1259
The MITRE CVE dictionary describes this issue as:
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Find out more about CVE-2018-1259 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 7.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenShift Application Runtimes 1.0 | RHSA-2018:1809 | 2018-06-07 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Mobile Application Platform On-Premise 4 | spring-data-commons | Not affected |
| Red Hat JBoss Fuse 7 | spring-data-commons | Affected |
| Red Hat JBoss Fuse 6 | spring-data-commons | Not affected |
CVE description copyright © 2017, The MITRE Corporation