CVE-2017-8046
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
5
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Las peticiones PATCH maliciosas enviadas a servidores que utilizan versiones Spring Data REST anteriores a la 2.6.9 (Ingalls SR9), versiones anteriores a la 3.0.1 (Kay SR1) y versiones Spring Boot anteriores a la 1.5.9, 2.0 M6 pueden utilizar datos JSON especialmente diseñados para ejecutar código Java arbitrario.
Spring Data REST versions prior to 2.6.9 (Ingalls SR9) and 3.0.1 (Kay SR1) suffer from a PATCH request remote code execution vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-04-21 CVE Reserved
- 2017-10-01 First Exploit
- 2018-01-04 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (10)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/100948 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/44289 | 2024-08-05 | |
https://github.com/Soontao/CVE-2017-8046-DEMO | 2017-10-01 | |
https://github.com/guanjivip/CVE-2017-8046 | 2020-08-01 | |
https://github.com/bkhablenko/CVE-2017-8046 | 2018-09-26 | |
https://github.com/sj/spring-data-rest-CVE-2017-8046 | 2017-11-08 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2018:2405 | 2022-04-07 | |
https://pivotal.io/security/cve-2017-8046 | 2022-04-07 | |
https://access.redhat.com/security/cve/CVE-2017-8046 | 2018-08-14 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1553024 | 2018-08-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | < 1.5.9 Search vendor "Vmware" for product "Spring Boot" and version " < 1.5.9" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone1 |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone2 |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone3 |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone4 |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone5 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | < 2.6.9 Search vendor "Pivotal Software" for product "Spring Data Rest" and version " < 2.6.9" | - |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | - |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m1 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m2 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m3 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m4 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | rc1 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | rc2 |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | rc3 |
Affected
|