| Vulnerability Name: | CVE-2017-8046 (CCN-137131) | ||||||||||||
| Assigned: | 2017-09-21 | ||||||||||||
| Published: | 2017-09-21 | ||||||||||||
| Updated: | 2022-04-07 | ||||||||||||
| Summary: | Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. | ||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.8 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
8.8 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-8046 Source: BID Type: Third Party Advisory, VDB Entry 100948 Source: CCN Type: BID-100948 Multiple Pivotal Products CVE-2017-8046 Remote Code Execution Vulnerability Source: REDHAT Type: UNKNOWN RHSA-2018:2405 Source: XF Type: UNKNOWN pivotal-cve20178046-code-exec(137131) Source: CCN Type: Packet Storm Security [03-15-2018] Spring Data REST PATCH Request Remote Code Execution Source: CCN Type: Pivotal Web site CVE-2017-8046: RCE in PATCH requests in Spring Data REST Source: CONFIRM Type: Vendor Advisory https://pivotal.io/security/cve-2017-8046 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [03-15-2018] Source: EXPLOIT-DB Type: Third Party Advisory, VDB Entry 44289 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||