CVE-2017-8046
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
11
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Las peticiones PATCH maliciosas enviadas a servidores que utilizan versiones Spring Data REST anteriores a la 2.6.9 (Ingalls SR9), versiones anteriores a la 3.0.1 (Kay SR1) y versiones Spring Boot anteriores a la 1.5.9, 2.0 M6 pueden utilizar datos JSON especialmente diseñados para ejecutar código Java arbitrario.
Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift. Security fix: undertow: Client can use bogus uri in Digest authentication spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code Issues addressed include bypass, deserialization, and file disclosure vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-04-21 CVE Reserved
- 2017-10-01 First Exploit
- 2018-01-04 CVE Published
- 2024-08-05 CVE Updated
- 2025-07-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/100948 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/146817 | 2018-03-15 | |
| https://www.exploit-db.com/exploits/44289 | 2024-08-05 | |
| https://github.com/Soontao/CVE-2017-8046-DEMO | 2017-10-01 | |
| https://github.com/guanjivip/CVE-2017-8046 | 2020-08-01 | |
| https://github.com/bkhablenko/CVE-2017-8046 | 2018-09-26 | |
| https://github.com/sj/spring-data-rest-CVE-2017-8046 | 2017-11-08 | |
| https://github.com/m3ssap0/SpringBreakVulnerableApp | 2020-10-18 | |
| https://github.com/FixYourFace/SpringBreakPoC | 2019-03-03 | |
| https://github.com/jkutner/spring-break-cve-2017-8046 | 2018-08-09 | |
| https://github.com/cved-sources/cve-2017-8046 | 2021-04-15 | |
| https://github.com/jsotiro/VulnerableSpringDataRest | 2019-05-08 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2405 | 2022-04-07 | |
| https://pivotal.io/security/cve-2017-8046 | 2022-04-07 | |
| https://access.redhat.com/security/cve/CVE-2017-8046 | 2018-08-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1553024 | 2018-08-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | < 1.5.9 Search vendor "Vmware" for product "Spring Boot" and version " < 1.5.9" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone1 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone2 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone3 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone4 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Spring Boot Search vendor "Vmware" for product "Spring Boot" | 2.0.0 Search vendor "Vmware" for product "Spring Boot" and version "2.0.0" | milestone5 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | < 2.6.9 Search vendor "Pivotal Software" for product "Spring Data Rest" and version " < 2.6.9" | - |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | - |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m1 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m2 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m3 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | m4 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | rc1 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | rc2 |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Data Rest Search vendor "Pivotal Software" for product "Spring Data Rest" | 3.0.0 Search vendor "Pivotal Software" for product "Spring Data Rest" and version "3.0.0" | rc3 |
Affected
| ||||||