CVE-2018-1259

NONE EPSS 91.1%
Published May 11, 20188y ago · Modified Jun 26, 20264d ago
Find Similar
Published May 11, 2018 8y ago
Last Modified Jun 26, 2026 4d ago

Description

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Threat Intelligence

EPSS Exploit Probability
91.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-611

Affected Products 5

VendorProductVersionRange
broadcomspring_data_commons*≥1.13  –  ≤1.13.11
broadcomspring_data_commons*≥2.0  –  ≤2.0.6
pivotal_softwarespring_data_rest*≥3.0  –  ≤3.0.6
vmwarespring_data_rest*>2.6  –  ≤2.6.11
xmlbeamxmlbeam* ≤1.4.14

References 4

  • access.redhat.com https://access.redhat.com/errata/RHSA-2018:1809
    Third Party Advisory
  • access.redhat.com https://access.redhat.com/errata/RHSA-2018:3768
    Third Party Advisory
  • pivotal.io https://pivotal.io/security/cve-2018-1259
    Vendor Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.