CVE-2017-8046 – org.springframework.data:spring-data-rest-core

Package

Manager: maven
Name: org.springframework.data:spring-data-rest-core
Vulnerable Version: >=0 <2.6.9.release || >=3.0.0 <3.0.1.release

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.93302 pctl0.99803

Details

Remote code execution in PATCH requests in Spring Data REST Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) can use specially crafted JSON data to run arbitrary Java code.

Metadata

Created: 2022-05-13T01:02:43Z
Modified: 2022-11-04T18:40:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9qf9-28h9-hqcj/GHSA-9qf9-28h9-hqcj.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-9qf9-28h9-hqcj
Finding: F184
Auto approve: 1