CVE-2018-1259 : Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Published 2018-05-11 20:29:00

Updated 2022-07-25 18:15:15

Source Dell

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2018-1259

Pivotal Software » Spring Data Rest
Versions after (>) 2.6 and up to, including, (<=) 2.6.11
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Data Rest
Versions from including (>=) 3.0 and up to, including, (<=) 3.0.6
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Data Commons
Versions from including (>=) 2.0 and up to, including, (<=) 2.0.6
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Data Commons
Versions from including (>=) 1.13 and up to, including, (<=) 1.13.11
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
Matching versions
Xmlbeam » Xmlbeam
Versions up to, including, (<=) 1.4.14
cpe:2.3:a:xmlbeam:xmlbeam:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-1259

EPSS FAQ

15.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1259

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-1259

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-1259

https://pivotal.io/security/cve-2018-1259

CVE-2018-1259: XXE with Spring Data’s XMLBeam integration | Security | Pivotal
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3768

RHSA-2018:3768 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1809

RHSA-2018:1809 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-1259

Products affected by CVE-2018-1259

Exploit prediction scoring system (EPSS) score for CVE-2018-1259

CVSS scores for CVE-2018-1259

CWE ids for CVE-2018-1259

References for CVE-2018-1259