CVE-2018-1274

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

Published: Apr 18, 2018
Updated: May 9, 2024
CVE: CVE-2018-1274
GHSA: GHSA-5q8m-mqmx-pxp9
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
pivotal_software / spring_data_commons	1.13	1.13.10.x
pivotal_software / spring_data_commons	2.0	2.0.5.x
pivotal_software / spring_data_rest	2.6	2.6.10.x
pivotal_software / spring_data_rest	3.0	3.0.5.x
org.springframework.data / spring-data-commons	-	1.13.11
org.springframework.data / spring-data-commons	2.0.0	2.0.6

Vulnerability Database

289,784

CVE-2018-1274