CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31679
https://notcve.org/view.php?id=CVE-2022-31679
21 Sep 2022 — Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes. Las aplicaciones que permiten el acceso HTTP PATCH a los recursos expuestos por Spring Data REST en versiones 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, y las versiones más antiguas no soportadas, si un atacante conoce la estruc... • https://tanzu.vmware.com/security/cve-2022-31679 •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22047
https://notcve.org/view.php?id=CVE-2021-22047
28 Oct 2021 — In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration. En Spring Data REST versiones 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, y versiones anteriores no soportadas, los recursos HTTP implementados por controladores perso... • https://tanzu.vmware.com/security/cve-2021-22047 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 92%CPEs: 15EXPL: 11CVE-2017-8046 – Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-8046
04 Jan 2018 — Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. Las peticiones PATCH maliciosas enviadas a servidores que utilizan versiones Spring Data REST anteriores a la 2.6.9 (Ingalls SR9), versiones anteriores a la 3.0.1 (Kay SR1) y versiones Spring Boot anteriores a la 1.5.9, 2.0 M6 pueden utilizar datos JSON espe... • https://packetstorm.news/files/id/146817 • CWE-20: Improper Input Validation •