CVE-2018-1273
Remote Code Execution vulnerability in org.springframework.data:spring-data-commons
What is CVE-2018-1273 About?
Spring Data Commons contains a property binder vulnerability that allows for remote code execution due to improper neutralization of special elements. An unauthenticated remote attacker can exploit this by crafting malicious request parameters against Spring Data REST backed HTTP resources. This vulnerability is highly critical and relatively easy to exploit, allowing direct code execution.
Affected Software
- org.springframework.data:spring-data-commons
- >2.0.0, <2.0.6
- >1.13.0, <1.13.11
Technical Details
The Remote Code Execution (RCE) vulnerability in Spring Data Commons stems from a property binder flaw related to improper neutralization of special elements within request parameters. Specifically, when Spring Data REST-backed HTTP resources or Spring Data's projection-based request payload binding process user-supplied request parameters, these specially crafted parameters are not adequately sanitized or validated. This allows an unauthenticated remote attacker to inject malicious code (e.g., using SpEL expressions or other templating/binding mechanisms) that gets evaluated and executed by the server. The vulnerability enables attackers to bypass intended data binding and directly execute arbitrary commands or code on the server-side, leading to full system compromise.
What is the Impact of CVE-2018-1273?
Successful exploitation may allow attackers to execute arbitrary code on the remote server, leading to full system compromise, data theft, and persistent unauthorized access.
What is the Exploitability of CVE-2018-1273?
Exploitation of this Remote Code Execution vulnerability is considered simple to moderate in complexity due to the existence of high-confidence exploits. An unauthenticated remote attacker can exploit this via specially crafted request parameters. There are no authentication or privilege requirements to trigger the vulnerability. The attack vector is strictly remote, targeting exposed Spring Data REST endpoints or applications using explicit projection-based request payload binding. The primary prerequisite is that the application uses an affected version of Spring Data Commons. Risk factors that significantly increase exploitation likelihood include publicly available vulnerable Spring Data REST endpoints and the lack of robust input validation or security mechanisms to prevent malicious expression injection within request parameters.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jas502n | Link | Spring Data Commons RCE 远程命令执行漏洞 |
| wearearima | Link | POC for CVE-2018-1273 |
| knqyf263 | Link | Environment for CVE-2018-1273 (Spring Data Commons) |
What are the Available Fixes for CVE-2018-1273?
Available Upgrade Options
- org.springframework.data:spring-data-commons
- >1.13.0, <1.13.11 → Upgrade to 1.13.11
- org.springframework.data:spring-data-commons
- >2.0.0, <2.0.6 → Upgrade to 2.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-data-commons
- https://osv.dev/vulnerability/GHSA-4fq3-mr56-cg6r
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-1273
- https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
- https://pivotal.io/security/cve-2018-1273
- https://github.com/spring-projects/spring-data-commons/issues/1721
- https://pivotal.io/security/cve-2018-1273
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
- https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
What are Similar Vulnerabilities to CVE-2018-1273?
Similar Vulnerabilities: CVE-2017-8046 , CVE-2017-4971 , CVE-2018-1271 , CVE-2022-22965 , CVE-2021-22005
