Description

Pivotal released a security advisory to reveal the Spring Data REST server is prone to a remote code execution (RCE) vulnerability (CVE-2017-8046) when processing PATCH requests. Attackers could exploit this vulnerability by sending a crafted PATCH request to the Spring Data REST server. The submitted JSON data contains a SPEL expression, which could cause remote code execution (RCE). Spring Data REST versions up to version 2.6.8 and 3.0.0 are affected by this vulnerability.

Remediation

Users of affected versions should apply the following mitigation:

Releases that have fixed this issue include:

  • Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
  • Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
  • Spring Boot 1.5.9 (Oct, 28th 2017)
  • Spring Boot 2.0 M6 (Nov. 6th 2017)

References

CVE-2017-8046: RCE in PATCH requests in Spring Data REST

Security issue in Spring Data REST (CVE-2017-8046)

Related Vulnerabilities

WordPress Plugin Arigato Autoresponder and Newsletter Remote Code Execution (2.5.1.9)

Apache 2.x version older than 2.2.3

WordPress Plugin WP-Syntax Remote PHP Code Execution (0.9.9)

WordPress Plugin NextGEN Gallery-WordPress Gallery Remote Code Execution (2.1.59)

Drupal Core 7.x Remote Code Execution (7.0 - 7.57)

Severity

High

Classification

CVE-2017-8046 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution