// For flags

CVE-2017-8046

Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

5
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Las peticiones PATCH maliciosas enviadas a servidores que utilizan versiones Spring Data REST anteriores a la 2.6.9 (Ingalls SR9), versiones anteriores a la 3.0.1 (Kay SR1) y versiones Spring Boot anteriores a la 1.5.9, 2.0 M6 pueden utilizar datos JSON especialmente diseñados para ejecutar código Java arbitrario.

Spring Data REST versions prior to 2.6.9 (Ingalls SR9) and 3.0.1 (Kay SR1) suffer from a PATCH request remote code execution vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-04-21 CVE Reserved
  • 2017-10-01 First Exploit
  • 2018-01-04 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vmware
Search vendor "Vmware"
Spring Boot
Search vendor "Vmware" for product "Spring Boot"
< 1.5.9
Search vendor "Vmware" for product "Spring Boot" and version " < 1.5.9"
-
Affected
Vmware
Search vendor "Vmware"
Spring Boot
Search vendor "Vmware" for product "Spring Boot"
2.0.0
Search vendor "Vmware" for product "Spring Boot" and version "2.0.0"
milestone1
Affected
Vmware
Search vendor "Vmware"
Spring Boot
Search vendor "Vmware" for product "Spring Boot"
2.0.0
Search vendor "Vmware" for product "Spring Boot" and version "2.0.0"
milestone2
Affected
Vmware
Search vendor "Vmware"
Spring Boot
Search vendor "Vmware" for product "Spring Boot"
2.0.0
Search vendor "Vmware" for product "Spring Boot" and version "2.0.0"
milestone3
Affected
Vmware
Search vendor "Vmware"
Spring Boot
Search vendor "Vmware" for product "Spring Boot"
2.0.0
Search vendor "Vmware" for product "Spring Boot" and version "2.0.0"
milestone4
Affected
Vmware
Search vendor "Vmware"
Spring Boot
Search vendor "Vmware" for product "Spring Boot"
2.0.0
Search vendor "Vmware" for product "Spring Boot" and version "2.0.0"
milestone5
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
< 2.6.9
Search vendor "Pivotal Software" for product "Spring Data Rest" and version " < 2.6.9"
-
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
-
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
m1
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
m2
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
m3
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
m4
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
rc1
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
rc2
Affected
Pivotal Software
Search vendor "Pivotal Software"
Spring Data Rest
Search vendor "Pivotal Software" for product "Spring Data Rest"
3.0.0
Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0"
rc3
Affected