Description

Pivotal released a security advisory to reveal the Spring Data REST server is prone to a remote code execution (RCE) vulnerability (CVE-2017-8046) when processing PATCH requests. Attackers could exploit this vulnerability by sending a crafted PATCH request to the Spring Data REST server. The submitted JSON data contains a SPEL expression, which could cause remote code execution (RCE). Spring Data REST versions up to version 2.6.8 and 3.0.0 are affected by this vulnerability.

Remediation

Users of affected versions should apply the following mitigation:

Releases that have fixed this issue include:

  • Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
  • Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
  • Spring Boot 1.5.9 (Oct, 28th 2017)
  • Spring Boot 2.0 M6 (Nov. 6th 2017)

References

CVE-2017-8046: RCE in PATCH requests in Spring Data REST

Security issue in Spring Data REST (CVE-2017-8046)

Related Vulnerabilities

Apache OFBiz RCE (CVE-2024-32113/CVE-2024-36104/CVE-2024-38856)

WordPress Plugin Woody ad snippets-Insert Header Footer Code, AdSense Ads PHP Code Injection (1.3)

Code Evaluation (Apache Struts) S2-016

SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29209)

Severity

High

Classification

CVE-2017-8046 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution