Vulnerability-Lookup

CVE-2018-1274 (GCVE-0-2018-1274)

Vulnerability from cvelistv5 – Published: 2018-04-18 16:00 – Updated: 2024-09-17 01:11

Summary

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

Severity ?

No CVSS data available.

CWE

Denial of Service

Assigner

dell

References

URL

	Vendor	Product	Version
	Spring by Pivotal	Spring Framework	Affected: Versions 1.13 to 1.13.10, 2.0 to 2.0.5

FKIE_CVE-2018-1274

Vulnerability from fkie_nvd - Published: 2018-04-18 16:29 - Updated: 2025-09-12 19:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security_alert@emc.com	http://www.securityfocus.com/bid/103769	Broken Link
security_alert@emc.com	https://pivotal.io/security/cve-2018-1274	Vendor Advisory
security_alert@emc.com	https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/103769	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://pivotal.io/security/cve-2018-1274	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

Impacted products

Vendor	Product	Version
pivotal_software	spring_data_commons	*
pivotal_software	spring_data_commons	*
pivotal_software	spring_data_rest	*
pivotal_software	spring_data_rest	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55C9CB7D-2DD8-4A4A-9466-29023F3CCB08",
              "versionEndExcluding": "1.13.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "40DA8D24-E7C4-4733-B97B-356166F85FE9",
              "versionEndExcluding": "2.0.6",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC3DB8C9-2E8E-4BAB-9A59-87241988E827",
              "versionEndIncluding": "2.6.10",
              "versionStartIncluding": "2.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA2BCF43-9888-4C3E-BBBB-3EC519CECC9C",
              "versionEndIncluding": "3.0.5",
              "versionStartIncluding": "3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
    },
    {
      "lang": "es",
      "value": "Spring Data Commons, en versiones anteriores a las comprendidas entre la 1.13 y la 1.13.10 y entre la 2.0 y la 2.0.5 y versiones antiguas no soportadas, contiene una vulnerabilidad property path parser provocada por la asignaci\u00f3n de recursos ilimitada. Un usuario (o atacante) remoto no autenticado puede enviar peticiones contra los endpoints REST de Spring Data o a los endpoints empleando el an\u00e1lisis de ruta de propiedades, lo que puede provocar una denegaci\u00f3n de servicio (consumo de CPU y de recursos)."
    }
  ],
  "id": "CVE-2018-1274",
  "lastModified": "2025-09-12T19:46:05.370",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-18T16:29:00.417",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.securityfocus.com/bid/103769"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2018-1274"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.securityfocus.com/bid/103769"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2018-1274"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-1274

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-1274

Aliases

CVE-2018-1274

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-1274",
    "description": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).",
    "id": "GSD-2018-1274"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-1274"
      ],
      "details": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).",
      "id": "GSD-2018-1274",
      "modified": "2023-12-13T01:22:37.485228Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@dell.com",
        "DATE_PUBLIC": "2018-04-10T00:00:00",
        "ID": "CVE-2018-1274",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Spring Framework",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Versions 1.13 to 1.13.10, 2.0 to 2.0.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Spring by Pivotal"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "103769",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/103769"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "https://pivotal.io/security/cve-2018-1274",
            "refsource": "CONFIRM",
            "url": "https://pivotal.io/security/cve-2018-1274"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[1.13.RELEASE,1.13.10.RELEASE],[2.0.RELEASE,2.0.5.RELEASE]",
          "affected_versions": "All versions starting from 1.13.RELEASE up to 1.13.10.RELEASE, all versions starting from 2.0.RELEASE up to 2.0.5.RELEASE",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2019-10-03",
          "description": "Spring Data Commons contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).",
          "fixed_versions": [
            "2.0.6.RELEASE"
          ],
          "identifier": "CVE-2018-1274",
          "identifiers": [
            "CVE-2018-1274"
          ],
          "not_impacted": "All versions before 1.13.RELEASE, all versions after 1.13.10.RELEASE before 2.0.RELEASE, all versions after 2.0.5.RELEASE",
          "package_slug": "maven/org.springframework.data/spring-data-commons",
          "pubdate": "2018-04-18",
          "solution": "Upgrade to version 2.0.5.RELEASE or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-1274",
            "http://www.securityfocus.com/bid/103769",
            "https://pivotal.io/security/cve-2018-1274"
          ],
          "uuid": "b1be4e4b-69d9-443b-b063-31deb3c2f514"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.13.10",
                "versionStartIncluding": "1.13",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.0.5",
                "versionStartIncluding": "2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.6.10",
                "versionStartIncluding": "2.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.0.5",
                "versionStartIncluding": "3.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "ID": "CVE-2018-1274"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pivotal.io/security/cve-2018-1274",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://pivotal.io/security/cve-2018-1274"
            },
            {
              "name": "103769",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/103769"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-07-25T18:15Z",
      "publishedDate": "2018-04-18T16:29Z"
    }
  }
}

CNVD-2018-07567

Vulnerability from cnvd - Published: 2018-04-12

Title

Spring Data Commons拒绝服务漏洞

Description

Spring Data是Spring框架中提供底层数据访问的项目模块，Spring Data Commons是一个共用的基础模块。 Spring Data Commons存在拒绝服务漏洞。由于Spring Data Commons模块在解析属性路径时未限制资源分配，导致攻击者可以通过消耗CPU和内存资源来进行拒绝服务攻击。

Severity

中

Patch Name

Spring Data Commons拒绝服务漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://pivotal.io/security/cve-2018-1274

Reference

https://pivotal.io/security/cve-2018-1274

Impacted products

Name
['Pivotal Software Spring Data Commons >=1.13，<=1.13.10 (Ingalls SR10)', 'Pivotal Software Spring Data Commons >=2.0，<=2.0.5 (Kay SR5)', 'Pivotal Software Spring Data REST >=2.6，<=2.6.10 (Ingalls SR10)', 'Pivotal Software Spring Data REST >=3.0，<=3.0.5 (Kay SR5)']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1274"
    }
  },
  "description": "Spring Data\u662fSpring\u6846\u67b6\u4e2d\u63d0\u4f9b\u5e95\u5c42\u6570\u636e\u8bbf\u95ee\u7684\u9879\u76ee\u6a21\u5757\uff0cSpring Data Commons\u662f\u4e00\u4e2a\u5171\u7528\u7684\u57fa\u7840\u6a21\u5757\u3002\r\n\r\nSpring Data Commons\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u7531\u4e8eSpring Data Commons\u6a21\u5757\u5728\u89e3\u6790\u5c5e\u6027\u8def\u5f84\u65f6\u672a\u9650\u5236\u8d44\u6e90\u5206\u914d\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6d88\u8017CPU\u548c\u5185\u5b58\u8d44\u6e90\u6765\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "discovererName": "Yevhenii Hrushka (Yevgeniy Grushka), Fortify Webinspect",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://pivotal.io/security/cve-2018-1274",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-07567",
  "openTime": "2018-04-12",
  "patchDescription": "Spring Data\u662fSpring\u6846\u67b6\u4e2d\u63d0\u4f9b\u5e95\u5c42\u6570\u636e\u8bbf\u95ee\u7684\u9879\u76ee\u6a21\u5757\uff0cSpring Data Commons\u662f\u4e00\u4e2a\u5171\u7528\u7684\u57fa\u7840\u6a21\u5757\u3002\r\n\r\nSpring Data Commons\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u7531\u4e8eSpring Data Commons\u6a21\u5757\u5728\u89e3\u6790\u5c5e\u6027\u8def\u5f84\u65f6\u672a\u9650\u5236\u8d44\u6e90\u5206\u914d\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6d88\u8017CPU\u548c\u5185\u5b58\u8d44\u6e90\u6765\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Spring Data Commons\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal Software Spring Data Commons \u003e=1.13\uff0c\u003c=1.13.10 (Ingalls SR10)",
      "Pivotal Software Spring Data Commons \u003e=2.0\uff0c\u003c=2.0.5 (Kay SR5)",
      "Pivotal Software Spring Data REST \u003e=2.6\uff0c\u003c=2.6.10 (Ingalls SR10)",
      "Pivotal Software Spring Data REST \u003e=3.0\uff0c\u003c=3.0.5 (Kay SR5)"
    ]
  },
  "referenceLink": "https://pivotal.io/security/cve-2018-1274",
  "serverity": "\u4e2d",
  "submitTime": "2018-04-12",
  "title": "Spring Data Commons\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

GHSA-5Q8M-MQMX-PXP9

Vulnerability from github – Published: 2018-10-17 17:23 – Updated: 2024-03-04 20:01

Summary

Spring Data Commons contain a property path parser vulnerability caused by unlimited resource allocation

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.data:spring-data-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.data:spring-data-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:17:03Z",
    "nvd_published_at": "2018-04-18T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).",
  "id": "GHSA-5q8m-mqmx-pxp9",
  "modified": "2024-03-04T20:01:15Z",
  "published": "2018-10-17T17:23:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fba"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-5q8m-mqmx-pxp9"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2018-1274"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103769"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Data Commons contain a property path parser vulnerability caused by unlimited resource allocation"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-1274 (GCVE-0-2018-1274)

FKIE_CVE-2018-1274

GSD-2018-1274

CNVD-2018-07567

GHSA-5Q8M-MQMX-PXP9

Tags

Sightings

Nomenclature