CVE-2017-8046

Published Jan 4, 2018

Last updated 3 years ago

CVSS critical 9.8

Overview

Description: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Source: security_alert@emc.com
NVD status: Modified

Risk scores

CVSS 3.0

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2D178DD5-5C7C-4954-AE5C-7805EEE0869B",
            "versionEndExcluding": "1.5.9"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "141F2C99-AD34-4003-81D4-689F3F1A53ED"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D7929E66-FCA2-4D1B-B29F-55BF70AF70C2"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E6B93CDA-E5D9-4955-910A-22B38779F23C"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F324F68E-CF50-4F2E-90E4-3620CE05A944"
          },
          {
            "criteria": "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C120785F-A827-4870-B33B-679367A9EB20"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D9D3B917-F9C9-417C-830E-475DBFB58D07",
            "versionEndExcluding": "2.6.9"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CB3CC672-C90E-40FD-890F-93C4F5338513"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "360B3EDD-18D5-44D7-A998-89F55DD9F5E5"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "95140537-ECA9-4A68-BD05-AEE47C36DD94"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "47F7A32E-5F18-4651-842D-968FE380AA98"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BCCDFF26-CF5B-44A6-8EDE-0A5353C669DA"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F1D52612-B862-4B71-A7CA-03A32CB3B0D9"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "89BE7C06-D620-4AB2-8388-4A9CCC6C5A97"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:rc3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7BC56E79-77CE-4AFA-AF93-1B9FADE9F3CB"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References