Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Short Info

Level

Critical

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

11 days 9 hours

Scan only one

URL

Toolbox

Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests.

References:

https://nvd.nist.gov/vuln/detail/CVE-2017-8046
https://spring.io/security/cve-2017-8046
https://access.redhat.com/errata/RHSA-2018:2405
https://www.exploit-db.com/exploits/44289/
https://github.com/jkutner/spring-break-cve-2017-8046

Remediation:
To remediate this vulnerability, update to Spring Data REST version 2.6.9 or later, or 3.0.1 or later, and Spring Boot version 1.5.9 or later, or 2.0 M6 or later.

Get started to protecting your digital assets

Start trial See the plans

Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Short Info

Detail

Category