CVE-2018-1259: XEE
First published: Wed May 09 2018(Updated: )
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Credit: security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/spring-data-commons | <1.13.12 | 1.13.12 |
| redhat/spring-data-commons | <2.0.7 | 2.0.7 |
| Pivotal Software Spring Data Commons | >=1.13<=1.13.11 | |
| Pivotal Software Spring Data Commons | >=2.0<=2.0.6 | |
| Pivotal Software Spring Data Rest | >2.6<=2.6.11 | |
| Pivotal Software Spring Data Rest | >=3.0<=3.0.6 | |
| Xmlbeam Xmlbeam | <=1.4.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2018:1809
- https://access.redhat.com/errata/RHSA-2018:3768
- https://pivotal.io/security/cve-2018-1259
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://jira.spring.io/browse/DATACMNS-1292
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1578939
- https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Frequently Asked Questions
What is CVE-2018-1259?
CVE-2018-1259 is a vulnerability in Spring Data Commons.
How severe is CVE-2018-1259?
CVE-2018-1259 has a severity rating of 7.5 (high).
Which versions of Spring Data Commons are affected by CVE-2018-1259?
Versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7 of Spring Data Commons are affected by CVE-2018-1259.
How can I fix CVE-2018-1259?
To fix CVE-2018-1259, upgrade to version 1.13.12 or version 2.0.7 of Spring Data Commons.
Where can I find more information about CVE-2018-1259?
More information about CVE-2018-1259 can be found at the following references: [Link 1](https://pivotal.io/security/cve-2018-1259), [Link 2](https://jira.spring.io/browse/DATACMNS-1292), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1578939).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1259
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/tags
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- vendor/pivotal software
- canonical/pivotal software spring data commons
- version/pivotal software spring data commons/1.13
- version/pivotal software spring data commons/1.13.11
- version/pivotal software spring data commons/2.0
- version/pivotal software spring data commons/2.0.6
- canonical/pivotal software spring data rest
- version/pivotal software spring data rest/2.6.11
- version/pivotal software spring data rest/3.0
- version/pivotal software spring data rest/3.0.6
- vendor/xmlbeam
- canonical/xmlbeam xmlbeam
- version/xmlbeam xmlbeam/1.4.14
- package-manager/redhat