CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
dellCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
vmwarespring_boot
𝑥
< 1.5.9
vmwarespring_boot
2.0.0:milestone1
vmwarespring_boot
2.0.0:milestone2
vmwarespring_boot
2.0.0:milestone3
vmwarespring_boot
2.0.0:milestone4
vmwarespring_boot
2.0.0:milestone5
pivotal_softwarespring_data_rest
𝑥
< 2.6.9
pivotal_softwarespring_data_rest
3.0.0
pivotal_softwarespring_data_rest
3.0.0:m1
pivotal_softwarespring_data_rest
3.0.0:m2
pivotal_softwarespring_data_rest
3.0.0:m3
pivotal_softwarespring_data_rest
3.0.0:m4
pivotal_softwarespring_data_rest
3.0.0:rc1
pivotal_softwarespring_data_rest
3.0.0:rc2
pivotal_softwarespring_data_rest
3.0.0:rc3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/100948
https://access.redhat.com/errata/RHSA-2018:2405
https://pivotal.io/security/cve-2017-8046
https://www.exploit-db.com/exploits/44289/
http://www.securityfocus.com/bid/100948
https://access.redhat.com/errata/RHSA-2018:2405
https://pivotal.io/security/cve-2017-8046
https://www.exploit-db.com/exploits/44289/