Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://pivotal.io/security/cve-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2023-24162 Vulnerability in maven package cn.hutool:hutool-all
CVE-2019-1003049 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-38398 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge
CVE-2019-1003058 Vulnerability in maven package org.jvnet.hudson.plugins:ftppublisher
CVE-2019-1003057 Vulnerability in maven package org.jenkins-ci.plugins:bitbucket-approve