CVE-2018-1273

Overview

Spring Data Commons contains a remote code execution vulnerability in its property binder that allows unauthenticated attackers to execute arbitrary code by supplying crafted request parameters. The vulnerability exists in versions prior to 1.13.10, 2.0.5, and all older unsupported versions. The vulnerability was disclosed on April 11, 2018. CISA has identified CVE-2018-1273 as being exploited and is known to be used in ransomware campaigns.

Technical details

Spring Data Commons exposes a property binder that improperly neutralizes special elements in request parameters. An unauthenticated attacker can craft malicious request parameters containing Spring Expression Language (SpEL) payloads that are evaluated by the framework, leading to arbitrary code execution on the server. The vulnerability affects any application using Spring Data Commons without proper input validation or expression language sandboxing.

The vulnerability is classified as CWE-917 (Expression Language Injection) andCWE-94 (Improper Control of Generation of Code ('Code Injection')) .

The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.

Impact

An unauthenticated attacker can execute arbitrary code with the privileges of the application server, potentially leading to complete system compromise. This includes data theft, malware installation, lateral movement within the network, and denial of service.

Mitigation and workarounds

Update Spring Data Commons dependency to version 1.13.10, 2.0.5, or later. For Maven projects, update the dependency in pom.xml: <version>2.0.5.RELEASE</version> or later. For Gradle projects, update build.gradle: 'org.springframework.data:spring-data-commons:2.0.5.RELEASE' or later. After updating dependencies, rebuild and redeploy the application. The following versions include the necessary fixes: Spring Data Commons 1.13.10+, Spring Data Commons 2.0.5+, Spring Data Commons 2.1.0+.

As temporary workarounds: implement strict input validation for all request parameters, rejecting any parameters containing special characters or spel syntax patterns (${...}, t(...), etc.); disable automatic binding of request parameters and explicitly whitelist which parameters can be bound to model objects, and use spring security to restrict access to vulnerable endpoints and implement request filtering to block parameters containing spel expressions.

CISA's recommendation: Apply updates per vendor instructions.

Additional resources

Source: This report was generated using AI

Vulnerability Management

Attack Surface Management

Cloud Security

AI Security Automation

Credentials Leaks Monitoring

Integrations

External Scanning

Attack Surface Monitoring

DAST

Website Security

Risk Based Prioritization

API Security

Asset Discovery

Emerging Threat Detection

CSPM

Compliance

Cyber Hygiene Reporting

Internal Scanning

Compare Vullify

Qualys Alternative

Tenable Alternative

Rapid7 Alternative

Intruder Alternative

Detectify Alternative

Acunetix Alternative

Invicti Alternative

Pentest-Tools Alternative

Security

Blog

Cyber Glossary

Vulnerability Database

Customers

Help Center

Customer Stories

Developer Hub

About

Press

Partners

Careers

Contact

Book a Demo

Spring Data Commons vulnerability analysis and mitigation — CRITICAL (CVSS 9.8)

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

Related Spring by Pivotal Vulnerabilities

Platform

Solutions

Resources

Company