CVE-2018-1273 - OpenCVE

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is in the KEV database since March 25, 2022.

Exploitation active

Automatable yes

Technical Impact total

Vendors	Products
Apache	Ignite
Oracle	Financial Services Crime And Compliance Management Studio
Pivotal Software	Spring Data Commons Spring Data Rest

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:spring_data_commons::::::::
	cpe:2.3:a:pivotal_software:spring_data_commons::::::::
	cpe:2.3:a:pivotal_software:spring_data_commons::::::::

Configuration 2 [-]

OR	cpe:2.3:a:pivotal_software:spring_data_rest::::::::
	cpe:2.3:a:pivotal_software:spring_data_rest::::::::
	cpe:2.3:a:pivotal_software:spring_data_rest::::::::

Configuration 3 [-]

OR	cpe:2.3:a:apache:ignite::::::::
	cpe:2.3:a:apache:ignite:1.0.0:-::::::
	cpe:2.3:a:apache:ignite:1.0.0:rc3::::::

Configuration 4 [-]

OR	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*

No data.

References

Link	Providers
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://nvd.nist.gov/vuln/detail/CVE-2018-1273
https://pivotal.io/security/cve-2018-1273
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cve.org/CVERecord?id=CVE-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html

History

Thu, 31 Jul 2025 09:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-74

Fri, 14 Mar 2025 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other

Fri, 07 Feb 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-03-25'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 14 Aug 2024 00:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-04-11T13:00:00.000Z

Updated: 2025-07-30T01:46:16.199Z

Reserved: 2017-12-06T00:00:00.000Z

Link: CVE-2018-1273

Vulnrichment

Updated: 2024-08-05T03:51:48.994Z

NVD

Status : Analyzed

Published: 2018-04-11T13:29:00.290

Modified: 2025-07-30T19:04:54.460

Link: CVE-2018-1273

Redhat

Severity : Critical

Publid Date: 2018-03-27T00:00:00Z

Links: CVE-2018-1273 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation active

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object