Spring Data REST RCE via PATCH requests

  • Pivotal released a security advisory to reveal the Spring Data REST server is prone to a remote code execution (RCE) vulnerability (CVE-2017-8046) when processing PATCH requests. Attackers could exploit this vulnerability by sending a crafted PATCH request to the Spring Data REST server. The submitted JSON data contains a SPEL expression, which could cause remote code execution (RCE). Spring Data REST versions up to version 2.6.8 and 3.0.0 are affected by this vulnerability.
  • Users of affected versions should apply the following mitigation:

    Releases that have fixed this issue include:
    • Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
    • Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
    • Spring Boot 1.5.9 (Oct, 28th 2017)
    • Spring Boot 2.0 M6 (Nov. 6th 2017)