CVE-2018-1259

{"id": "CVE-2018-1259", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-05-11T20:29:00.307", "references": [{"url": "https://access.redhat.com/errata/RHSA-2018:1809", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3768", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://pivotal.io/security/cve-2018-1259", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2018:1809", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2018:3768", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pivotal.io/security/cve-2018-1259", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system."}, {"lang": "es", "value": "Spring Data Commons, en versiones 1.13 anteriores a la 1.13.12 y versiones 2.0 anteriores a la 2.0.7, empleado junto con XMLBeam, en versiones 1.4.14 o anteriores, contiene una vulnerabilidad de enlazador de propiedades provocada por la restricci\u00f3n incorrecta de referencias de entidades externas XML, ya que la biblioteca subyacente XMLBeam no restringe la expansi\u00f3n de referencias externas. Un usuario remoto malicioso no autenticado puede proporcionar par\u00e1metros de petici\u00f3n especialmente manipulados al enlace de la carga \u00fatil de petici\u00f3n basada en proyecci\u00f3n de Spring Data para acceder a archivos arbitrarios en el sistema."}], "lastModified": "2024-11-21T03:59:29.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68E7F274-5CF6-482F-9B52-9C7E40C7C133", "versionEndIncluding": "1.13.11", "versionStartIncluding": "1.13"}, {"criteria": "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "055E8CDE-2FDC-46E1-91B6-02BB5BB5DDE7", "versionEndIncluding": "2.0.6", "versionStartIncluding": "2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5433DB0-B5D8-48D1-901E-7935B3D9EC37", "versionEndIncluding": "2.6.11", "versionStartExcluding": "2.6"}, {"criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAF1612F-D7FE-480E-8C28-2D97413787F9", "versionEndIncluding": "3.0.6", "versionStartIncluding": "3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlbeam:xmlbeam:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A5EE557-849E-4677-B7B4-4A1BDB6EA0F0", "versionEndIncluding": "1.4.14"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}