CVE-2017-8046
Summary
| CVE | CVE-2017-8046 |
|---|---|
| State | PUBLISHED |
| Assigner | dell |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-01-04 06:29:00 UTC |
| Updated | 2026-06-26 18:44:14 UTC |
| Description | Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. |
Risk And Classification
Primary CVSS: v3.0 9.8 CRITICAL from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-20 | run arbitrary Java code
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Pivotal Software | Spring Data Rest | 3.0.0 | All | All | All |
| Application | Pivotal Software | Spring Data Rest | 3.0.0 | m1 | All | All |
| Application | Pivotal Software | Spring Data Rest | 3.0.0 | m2 | All | All |
| Application | Pivotal Software | Spring Data Rest | 3.0.0 | m3 | All | All |
| Application | Pivotal Software | Spring Data Rest | 3.0.0 | m4 | All | All |
| Application | Vmware | Spring Boot | All | All | All | All |
| Application | Vmware | Spring Boot | 2.0.0 | milestone1 | All | All |
| Application | Vmware | Spring Boot | 2.0.0 | milestone2 | All | All |
| Application | Vmware | Spring Boot | 2.0.0 | milestone3 | All | All |
| Application | Vmware | Spring Boot | 2.0.0 | milestone4 | All | All |
| Application | Vmware | Spring Boot | 2.0.0 | milestone5 | All | All |
| Application | Vmware | Spring Data Rest | All | All | All | All |
| Application | Vmware | Spring Data Rest | 3.0.0 | rc1 | All | All |
| Application | Vmware | Spring Data Rest | 3.0.0 | rc2 | All | All |
| Application | Vmware | Spring Data Rest | 3.0.0 | rc3 | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Pivotal | Pivotal Spring Data REST And Spring Boot | affected Pivotal Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution - Java webapps Exploit | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| CVE-2017-8046: RCE in PATCH requests in Spring Data REST | Security | Pivotal | af854a3a-2127-422b-91ae-364da2661108 | pivotal.io | Vendor Advisory |
| Multiple Pivotal Products CVE-2017-8046 Remote Code Execution Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.