CyberSec.Space Logo
CVEブラウザに戻る

CVE-2017-8046

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0810%
EPSS Percentile20.48th
Published2018年1月4日
Last Modified2024年11月21日

Vulnerability Description

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Affected Platforms (CPE)

📦
Vmware

Spring Boot

< 1.5.9
📦
Vmware

Spring Boot

= 2.0.0
📦
Vmware

Spring Boot

= 2.0.0
📦
Vmware

Spring Boot

= 2.0.0
📦
Vmware

Spring Boot

= 2.0.0
📦
Vmware

Spring Boot

= 2.0.0
📦
Pivotal Software

Spring Data Rest

< 2.6.9
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0
📦
Pivotal Software

Spring Data Rest

= 3.0.0

References & Advisories

🔗 http://www.securityfocus.com/bid/100948
🔗 https://access.redhat.com/errata/RHSA-2018:2405
🔗 https://pivotal.io/security/cve-2017-8046
🔗 https://www.exploit-db.com/exploits/44289/
🔗 http://www.securityfocus.com/bid/100948
🔗 https://access.redhat.com/errata/RHSA-2018:2405
🔗 https://pivotal.io/security/cve-2017-8046
🔗 https://www.exploit-db.com/exploits/44289/

関連する脆弱性情報

CVE-2021-390529.8

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without autho...

CVE-2021-413039.8

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication ...

CVE-2019-91869.8

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to ...

CVE-2021-260778.8

Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: A...