CVE-2018-1259
Property Binder Vulnerability vulnerability in spring-data-commons (Maven)
What is CVE-2018-1259 About?
Spring Data Commons, in versions prior to 1.13.12 and 2.0 prior to 2.0.7, when used with XMLBeam 1.4.14 or older, is susceptible to a property binder vulnerability. This flaw arises from XMLBeam's improper handling of XML external entity references during Spring Data's projection-based request payload binding. It allows unauthenticated remote attackers to access arbitrary files on the system by crafting specific request parameters.
Affected Software
- org.springframework.data:spring-data-commons
- >1.13.0, <1.13.12
- >2.0.0, <2.0.7
Technical Details
This vulnerability is an XML External Entity (XXE)-like flaw specifically affecting Spring Data Commons when combined with XMLBeam. Spring Data provides a projection-based request payload binding mechanism that, when parsing incoming XML requests, leverages XMLBeam. The root cause is that XMLBeam 1.4.14 and earlier do not adequately restrict the expansion of XML external entities. An unauthenticated attacker can supply specially crafted XML within request parameters. This XML can include DTD declarations that refer to external entities pointing to local files (e.g., file:///etc/passwd). When Spring Data Commons uses XMLBeam to process this malformed XML, XMLBeam resolves these external entities, leading to the disclosure of arbitrary file content to the attacker in the application's response or error messages.
What is the Impact of CVE-2018-1259?
Successful exploitation may allow attackers to read arbitrary files from the server's file system, potentially leading to sensitive information disclosure.
What is the Exploitability of CVE-2018-1259?
Exploitation involves an unauthenticated remote malicious user sending specially crafted request parameters containing XML external entity payloads to Spring Data's projection-based request payload binding endpoint. The complexity is moderate, requiring knowledge of XXE attack techniques and how Spring Data processes payloads. No authentication is required, making it a high-risk remote attack surface. Privilege requirements are low, as the attack leverages a parsing vulnerability. This is a remote vulnerability. The presence of Spring Data Commons with an outdated XMLBeam library, and an endpoint that accepts and processes XML-based request payloads, significantly increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tafamace | Link | PoC for CVE-2018-1259 |
What are the Available Fixes for CVE-2018-1259?
Available Upgrade Options
- org.springframework.data:spring-data-commons
- >1.13.0, <1.13.12 → Upgrade to 1.13.12
- org.springframework.data:spring-data-commons
- >2.0.0, <2.0.7 → Upgrade to 2.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:3768
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://access.redhat.com/errata/RHSA-2018:1809
- https://pivotal.io/security/cve-2018-1259
- https://nvd.nist.gov/vuln/detail/CVE-2018-1259
- https://osv.dev/vulnerability/GHSA-m929-7fr6-cvjg
- https://access.redhat.com/errata/RHSA-2018:3768
- https://access.redhat.com/errata/RHSA-2018:1809
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-m929-7fr6-cvjg
What are Similar Vulnerabilities to CVE-2018-1259?
Similar Vulnerabilities: CVE-2017-4995 , CVE-2018-1270 , CVE-2018-1271 , CVE-2018-1272 , CVE-2019-11267
