CVE-2018-1274 — Spring Data Commons contain a property path parser vulnerability caused by unlim

Description

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

How to fix CVE-2018-1274

To remediate CVE-2018-1274, upgrade the affected package to a fixed version below.

—upgrade to 1.13.11 or later

Is CVE-2018-1274 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.13.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYgithub.com/advisories/GHSA-5q8m-mqmx-pxp9
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1274
WEBgithub.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fba
WEBgithub.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee