CVE-2018-1274
First published: Tue Apr 10 2018(Updated: )
Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).
Credit: security_alert@emc.com security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Software Spring Data Commons | >=1.13<=1.13.10 | |
| Pivotal Software Spring Data Commons | >=2.0<=2.0.5 | |
| Pivotal Software Spring Data Rest | >=2.6<=2.6.10 | |
| Pivotal Software Spring Data Rest | >=3.0<=3.0.5 | |
| maven/org.springframework.data:spring-data-commons | >=2.0.0<2.0.6 | 2.0.6 |
| maven/org.springframework.data:spring-data-commons | <1.13.11 | 1.13.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/103769
- https://pivotal.io/security/cve-2018-1274
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-1274
- https://github.com/advisories/GHSA-5q8m-mqmx-pxp9 (Advisory)
- https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fba
- https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee
Frequently Asked Questions
What is CVE-2018-1274?
CVE-2018-1274 is a property path parser vulnerability in Spring Data Commons versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, allowing for unlimited resource allocation and potential remote code execution.
What is the severity of CVE-2018-1274?
CVE-2018-1274 has a severity rating of 7.5 (High).
How does CVE-2018-1274 impact Spring Data Commons?
CVE-2018-1274 allows an unauthenticated remote attacker to issue requests against Spring Data REST endpoints, potentially leading to remote code execution.
How can I fix CVE-2018-1274?
To fix CVE-2018-1274, it is recommended to update to a supported version of Spring Data Commons (1.13.11 or newer, 2.0.6 or newer) or Spring Data REST (2.6.11 or newer, 3.0.6 or newer).
Where can I find more information about CVE-2018-1274?
More information about CVE-2018-1274 can be found at the following references: [securityfocus.com](http://www.securityfocus.com/bid/103769), [pivotal.io](https://pivotal.io/security/cve-2018-1274), [oracle.com](https://www.oracle.com/security-alerts/cpujul2022.html).
- collector/nvd-index
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5q8m-mqmx-pxp9
- alias/CVE-2018-1274
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/pivotal software
- canonical/pivotal software spring data commons
- version/pivotal software spring data commons/1.13
- version/pivotal software spring data commons/1.13.10
- version/pivotal software spring data commons/2.0
- version/pivotal software spring data commons/2.0.5
- canonical/pivotal software spring data rest
- version/pivotal software spring data rest/2.6
- version/pivotal software spring data rest/2.6.10
- version/pivotal software spring data rest/3.0
- version/pivotal software spring data rest/3.0.5
- package-manager/maven