{"containers": {"cna": {"affected": [{"product": "Spring Data Commons", "vendor": "Pivotal", "versions": [{"status": "affected", "version": "1.13 prior to 1.13.12; 2.0 prior to 2.0.7"}]}], "datePublic": "2018-05-09T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system."}], "problemTypes": [{"descriptions": [{"description": "XML Parsing", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-22T17:57:52.000Z", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "RHSA-2018:1809", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1809"}, {"name": "RHSA-2018:3768", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2018-1259"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2018-05-09T00:00:00", "ID": "CVE-2018-1259", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Data Commons", "version": {"version_data": [{"version_value": "1.13 prior to 1.13.12; 2.0 prior to 2.0.7"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML Parsing"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:1809", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1809"}, {"name": "RHSA-2018:3768", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "https://pivotal.io/security/cve-2018-1259", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2018-1259"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.968Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:1809", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1809"}, {"name": "RHSA-2018:3768", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2018-1259"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1259", "datePublished": "2018-05-11T20:00:00.000Z", "dateReserved": "2017-12-06T00:00:00.000Z", "dateUpdated": "2024-09-16T16:33:36.641Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:spring_data_commons:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DC92E09-A26B-405E-ABFE-CA8652D958AE", "versionEndIncluding": "1.13.11", "versionStartIncluding": "1.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:spring_data_commons:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2A4E608-6E56-47B3-84AB-C6C36F789E5C", "versionEndIncluding": "2.0.6", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5433DB0-B5D8-48D1-901E-7935B3D9EC37", "versionEndIncluding": "2.6.11", "versionStartExcluding": "2.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*", "matchCriteriaId": "AAF1612F-D7FE-480E-8C28-2D97413787F9", "versionEndIncluding": "3.0.6", "versionStartIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlbeam:xmlbeam:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A5EE557-849E-4677-B7B4-4A1BDB6EA0F0", "versionEndIncluding": "1.4.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system."}, {"lang": "es", "value": "Spring Data Commons, en versiones 1.13 anteriores a la 1.13.12 y versiones 2.0 anteriores a la 2.0.7, empleado junto con XMLBeam, en versiones 1.4.14 o anteriores, contiene una vulnerabilidad de enlazador de propiedades provocada por la restricci\u00f3n incorrecta de referencias de entidades externas XML, ya que la biblioteca subyacente XMLBeam no restringe la expansi\u00f3n de referencias externas. Un usuario remoto malicioso no autenticado puede proporcionar par\u00e1metros de petici\u00f3n especialmente manipulados al enlace de la carga \u00fatil de petici\u00f3n basada en proyecci\u00f3n de Spring Data para acceder a archivos arbitrarios en el sistema."}], "id": "CVE-2018-1259", "lastModified": "2026-06-15T18:57:47.483", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-11T20:29:00.307", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1809"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-1259"}, {"source": "security_alert@emc.com", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1809"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-1259"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:3768", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "spring-data-commons", "product_name": "Red Hat Fuse 7.2", "release_date": "2018-12-04T00:00:00Z"}, {"advisory": "RHSA-2018:1809", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "product_name": "Text-Only RHOAR", "release_date": "2018-06-07T00:00:00Z"}], "bugzilla": {"description": "spring-data-commons: XXE with Spring Data\u2019s XMLBeam integration", "id": "1578902", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578902"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-611", "details": ["Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system."], "name": "CVE-2018-1259", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "spring-data-commons", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:fuse_integration_services:2", "fix_state": "Not affected", "package_name": "spring-data-commons", "product_name": "Red Hat JBoss Fuse Integration Service 2"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "spring-data-commons", "product_name": "Red Hat Mobile Application Platform 4"}], "public_date": "2018-05-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1259\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1259"], "threat_severity": "Moderate"}

{}