CVE-2018-1259

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1259

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1259.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1259

Aliases

GHSA-m929-7fr6-cvjg

Published

2018-05-11T20:29:00Z

Modified

2024-09-03T02:04:12.207938Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

References

Affected packages

Git / github.com/spring-projects/spring-data-commons

Affected ranges

Type: GIT
Repo: https://github.com/spring-projects/spring-data-commons
Events: Introduced

dc8583795871a09d78a15b075935a6cada57d597

Last affected

6716d156812b7fbde8635aa10a3717ca35dd0d2b

Introduced

d5cad6c27f765587a3976620324153352058a4a7

Last affected

776cc0f4e6f455c02436c6f968bfe31354107306

Introduced

ac92b5ee9ed83432cec927a47c893dcd4f61e0b1

Last affected

eef71d082bf36f934096bcfd8e985d47d9b2fde1

Type: GIT
Repo: https://github.com/spring-projects/spring-data-rest
Events: Introduced

ac2cbfcbc5954384cb92da7ed2641d1e06322827

Last affected

164bc5c697fc0f273b3d5eb2d73528cc6a9e97c4

Last affected

70d6bb241a6581542c8bfaf4e17ef53d6cfe8f8e

Type: GIT
Repo: https://github.com/svenewald/xmlbeam
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

856c481d05665e1c3ccdc281dd150a1935cfc0e5

Affected versions

1.*

1.0

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.13.0.RELEASE

1.13.1.RELEASE

1.13.10.RELEASE

1.13.11.RELEASE

1.13.2.RELEASE

1.13.3.RELEASE

1.13.4.RELEASE

1.13.5.RELEASE

1.13.6.RELEASE

1.13.7.RELEASE

1.13.8.RELEASE

1.13.9.RELEASE

1.2.0

1.2.1

1.3.0

1.4.0

1.4.1

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

2.*

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.0.6.RELEASE

2.1.0.M1

2.1.0.M2

2.1.0.M3

2.1.0.RC1

2.1.0.RC2

2.1.0.RELEASE

2.2.0.M1

2.2.0.M2

2.2.0.M3

2.2.0.M4

2.2.0.RC1

2.2.0.RC2

2.2.0.RC3

2.2.0.RELEASE

2.3.0.M1

2.3.0.M2

2.3.0.M3

2.3.0.M4

2.3.0.RC1

2.3.0.RC2

2.3.0.RELEASE

2.4.0

2.4.0-M1

2.4.0-M2

2.4.0-RC1

2.4.0-RC2

2.5.0

2.5.0-M1

2.5.0-M2

2.5.0-M3

2.5.0-M4

2.5.0-M5

2.5.0-RC1

2.6.0

2.6.0-M1

2.6.0-M2

2.6.0-M3

2.6.0-RC1

3.*

3.0.0

3.0.0-M1

3.0.0-M2

3.0.0-M3

3.0.0-M4

3.0.0-M5

3.0.0-M6

3.0.0-RC1

3.0.0-RC2

3.0.0.RELEASE

3.0.1

3.0.1.RELEASE

3.0.2

3.0.2.RELEASE

3.0.3

3.0.3.RELEASE

3.0.4

3.0.4.RELEASE

3.0.5

3.0.5.RELEASE

3.0.6

3.0.6.RELEASE

Other

before_master_reset_for_exceptionFeature

before_single_visitor_switch