{"api_version":"1","generated_at":"2026-04-23T06:19:11+00:00","cve":"CVE-2018-1259","urls":{"html":"https://cve.report/CVE-2018-1259","api":"https://cve.report/api/cve/CVE-2018-1259.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1259","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1259"},"summary":{"title":"CVE-2018-1259","description":"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.","state":"PUBLIC","assigner":"secure@dell.com","published_at":"2018-05-11 20:29:00","updated_at":"2022-07-25 18:15:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2018:1809","name":"RHSA-2018:1809","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:3768","name":"RHSA-2018:3768","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pivotal.io/security/cve-2018-1259","name":"https://pivotal.io/security/cve-2018-1259","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"CVE-2018-1259: XXE with Spring Data’s XMLBeam integration | Security | VMware Tanzu","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1259","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1259","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1259","vulnerable":"1","versionEndIncluding":"1.13.11","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_commons","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1259","vulnerable":"1","versionEndIncluding":"2.0.6","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_commons","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1259","vulnerable":"1","versionEndIncluding":"2.6.11","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_rest","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1259","vulnerable":"1","versionEndIncluding":"3.0.6","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_rest","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1259","vulnerable":"1","versionEndIncluding":"1.4.14","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xmlbeam","cpe5":"xmlbeam","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-1259","qid":"980992","title":"Java (maven) Security Update for org.springframework.data:spring-data-commons (GHSA-m929-7fr6-cvjg)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2018-05-09T00:00:00","ID":"CVE-2018-1259","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Spring Data Commons","version":{"version_data":[{"version_value":"1.13 prior to 1.13.12; 2.0 prior to 2.0.7"}]}}]},"vendor_name":"Pivotal"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"XML Parsing"}]}]},"references":{"reference_data":[{"name":"RHSA-2018:1809","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:1809"},{"name":"RHSA-2018:3768","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:3768"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"name":"https://pivotal.io/security/cve-2018-1259","refsource":"CONFIRM","url":"https://pivotal.io/security/cve-2018-1259"}]}},"nvd":{"publishedDate":"2018-05-11 20:29:00","lastModifiedDate":"2022-07-25 18:15:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*","versionStartIncluding":"1.13","versionEndIncluding":"1.13.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0","versionEndIncluding":"2.0.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*","versionStartExcluding":"2.6","versionEndIncluding":"2.6.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndIncluding":"3.0.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xmlbeam:xmlbeam:*:*:*:*:*:*:*:*","versionEndIncluding":"1.4.14","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1259","Ordinal":"116554","Title":"CVE-2018-1259","CVE":"CVE-2018-1259","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1259","Ordinal":"1","NoteData":"Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1259","Ordinal":"2","NoteData":"2018-05-11","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1259","Ordinal":"3","NoteData":"2018-12-05","Type":"Other","Title":"Modified"}]}}}