CVE-2018-1259
Description
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Datas projection-based request payload binding to access arbitrary files on the system.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
9.831
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2018-1259 are fixed in Spring - Data Commons 1.13.12 | Windows |
| Vulnerabilities CVE-2018-1259 are fixed in Spring - Data Commons 2.0.7 | Windows |
| Vulnerabilities CVE-2018-1259 are fixed in Spring - Data Commons for Linux 1.13.12 | Linux |
| Vulnerabilities CVE-2018-1259 are fixed in Spring - Data Commons for Linux 2.0.7 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234