Pivotal released a security advisory to reveal the Spring Data REST server is prone to a remote code execution (RCE) vulnerability (CVE-2017-8046) when processing PATCH requests. Attackers could exploit this vulnerability by sending a crafted PATCH request to the Spring Data REST server. The submitted JSON data contains a SPEL expression, which could cause remote code execution (RCE). Spring Data REST versions up to version 2.6.8 and 3.0.0 are affected by this vulnerability.


Users of affected versions should apply the following mitigation:

Releases that have fixed this issue include:

  • Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
  • Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
  • Spring Boot 1.5.9 (Oct, 28th 2017)
  • Spring Boot 2.0 M6 (Nov. 6th 2017)


Related Vulnerabilities