Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Remediation
References
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://pivotal.io/security/cve-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2019-16568 Vulnerability in maven package hudson.plugins.sctmexecutor:sctmexecutor
CVE-2022-0748 Vulnerability in npm package post-loader
CVE-2021-23342 Vulnerability in npm package docsify
CVE-2019-19771 Vulnerability in npm package bitcoisnj-lib
CVE-2019-17566 Vulnerability in maven package org.apache.xmlgraphics:batik-svgrasterizer