HTTP: Pivotal Spring Framework isWritableProperty SpEL Injection
This signature detects attempts to exploit a known vulnerability against Pivotal Spring Framework.Successful exploitation results in arbitrary code execution under the security context of the target application.
Extended Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Affected Products
Pivotal_software spring_data_rest
References
CVE: CVE-2018-1273
Short Name
HTTP:CTS-CVE-2018-1273-RCE
Severity
Major
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2018-1273 Framework Injection Pivotal SpEL Spring isWritableProperty
Release Date
09/27/2018
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3724
False Positive
Unknown
Vendors
Apache
Pivotal_software
Oracle
CVSS Score
7.5