CVE-2018-1273: VMware Tanzu Spring Data Commons Property Binder Vulnerability
First published: Wed Apr 11 2018(Updated: )
Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution.
Credit: security_alert@emc.com security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Software Spring Data Commons | <=1.12.10 | |
| Pivotal Software Spring Data Commons | >=1.13<=1.13.10 | |
| Pivotal Software Spring Data Commons | >=2.0<=2.0.5 | |
| Pivotal Software Spring Data Rest | <=2.5.10 | |
| Pivotal Software Spring Data Rest | >=2.6<=2.6.10 | |
| Pivotal Software Spring Data Rest | >=3.0<=3.0.5 | |
| Apache Ignite | >=1.0.0<=2.5.0 | |
| Apache Ignite | =1.0.0-rc3 | |
| VMware Tanzu Spring Data Commons | ||
| maven/org.springframework.data:spring-data-commons | >=2.0.0<2.0.6 | 2.0.6 |
| maven/org.springframework.data:spring-data-commons | >=1.13.0<1.13.11 | 1.13.11 |
| Pivotal Software Spring Data Commons | >=1.13.0<=1.13.10 | |
| Pivotal Software Spring Data Commons | >=2.0.0<=2.0.5 | |
| Pivotal Software Spring Data Rest | >=2.6.0<=2.6.10 | |
| Pivotal Software Spring Data Rest | >=3.0.0<=3.0.5 | |
| Apache Ignite | >=1.0.1<=2.5.0 | |
| Apache Ignite | =1.0.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
- https://pivotal.io/security/cve-2018-1273
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-1273
- https://github.com/advisories/GHSA-4fq3-mr56-cg6r (Advisory)
- https://github.com/spring-projects/spring-data-commons/issues/1721
- https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
- https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
Frequently Asked Questions
What is CVE-2018-1273?
CVE-2018-1273 is a vulnerability in VMware Tanzu Spring Data Commons that allows an unauthenticated remote attacker to supply specially crafted request parameters.
Who is affected by CVE-2018-1273?
Users of VMware Tanzu Spring Data Commons versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions are affected.
What is the severity of CVE-2018-1273?
CVE-2018-1273 has a severity rating of 9.8 (Critical).
How can an attacker exploit CVE-2018-1273?
An attacker can exploit CVE-2018-1273 by supplying specially crafted request parameters.
Where can I find more information about CVE-2018-1273?
You can find more information about CVE-2018-1273 at the following references: [Reference 1](http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E), [Reference 2](https://pivotal.io/security/cve-2018-1273), [Reference 3](https://www.oracle.com/security-alerts/cpujul2022.html).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/title
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4fq3-mr56-cg6r
- alias/CVE-2018-1273
- agent/references
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/nvd-api
- agent/weakness
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/pivotal software
- canonical/pivotal software spring data commons
- version/pivotal software spring data commons/1.12.10
- version/pivotal software spring data commons/1.13
- version/pivotal software spring data commons/1.13.10
- version/pivotal software spring data commons/2.0
- version/pivotal software spring data commons/2.0.5
- canonical/pivotal software spring data rest
- version/pivotal software spring data rest/2.5.10
- version/pivotal software spring data rest/2.6
- version/pivotal software spring data rest/2.6.10
- version/pivotal software spring data rest/3.0
- version/pivotal software spring data rest/3.0.5
- vendor/apache
- canonical/apache ignite
- version/apache ignite/1.0.0
- version/apache ignite/2.5.0
- version/apache ignite/1.0.0-rc3
- vendor/vmware tanzu
- canonical/vmware tanzu spring data commons
- package-manager/maven
- version/pivotal software spring data commons/1.13.0
- version/pivotal software spring data commons/2.0.0
- version/pivotal software spring data rest/2.6.0
- version/pivotal software spring data rest/3.0.0
- version/apache ignite/1.0.1
- vendor/oracle
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0