RCE in Spring By Pivotal Framework
CVE-2018-1273
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (…
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.943 (99.9th percentile) — read the EPSS interpretation.
Affected products
- Spring By Pivotal Framework — versions Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Known ransomware campaign use: yes.
Public proof-of-concept exploits
References
- [ignite-dev] 20180719 [CVE-2018-1273] Apache Ignite impacted by security vulnerability in Spring Data Commons (mailing-list, x_refsource_MLIST)
- www.oracle.com/security-alerts/cpujul2022.html (x_refsource_MISC)
- pivotal.io/security/cve-2018-1273 (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2018-1273?
- CVE-2018-1273 is a vulnerability in Spring By Pivotal Framework, classified under Code Injection. Published 2018-04-11.
- Is CVE-2018-1273 known to be exploited?
- Yes. CVE-2018-1273 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-25), indicating it is being actively exploited. 81 public proof-of-concept repositories are indexed.