Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://pivotal.io/security/cve-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2022-36915 Vulnerability in maven package org.jenkins-ci.plugins:android-signing
CVE-2021-32660 Vulnerability in npm package techdocs-common
CVE-2020-10591 Vulnerability in maven package com.walmartlabs.concord.server:concord-server-impl
CVE-2019-10277 Vulnerability in maven package hudson.plugins:starteam