{"api_version":"1","generated_at":"2026-04-23T07:55:40+00:00","cve":"CVE-2018-1274","urls":{"html":"https://cve.report/CVE-2018-1274","api":"https://cve.report/api/cve/CVE-2018-1274.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1274","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1274"},"summary":{"title":"CVE-2018-1274","description":"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).","state":"PUBLIC","assigner":"secure@dell.com","published_at":"2018-04-18 16:29:00","updated_at":"2022-07-25 18:15:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://pivotal.io/security/cve-2018-1274","name":"https://pivotal.io/security/cve-2018-1274","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"CVE-2018-1274: Denial of Service with Spring Data | Security | Pivotal","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/103769","name":"103769","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Malformed Request","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1274","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1274","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1274","vulnerable":"1","versionEndIncluding":"1.13.10","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_commons","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1274","vulnerable":"1","versionEndIncluding":"2.0.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_commons","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1274","vulnerable":"1","versionEndIncluding":"2.6.10","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_rest","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1274","vulnerable":"1","versionEndIncluding":"3.0.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"spring_data_rest","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-1274","qid":"981284","title":"Java (maven) Security Update for org.springframework.data:spring-data-commons (GHSA-5q8m-mqmx-pxp9)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2018-04-10T00:00:00","ID":"CVE-2018-1274","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Spring Framework","version":{"version_data":[{"version_value":"Versions 1.13 to 1.13.10, 2.0 to 2.0.5"}]}}]},"vendor_name":"Spring by Pivotal"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Denial of Service"}]}]},"references":{"reference_data":[{"name":"103769","refsource":"BID","url":"http://www.securityfocus.com/bid/103769"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"name":"https://pivotal.io/security/cve-2018-1274","refsource":"CONFIRM","url":"https://pivotal.io/security/cve-2018-1274"}]}},"nvd":{"publishedDate":"2018-04-18 16:29:00","lastModifiedDate":"2022-07-25 18:15:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*","versionStartIncluding":"1.13","versionEndIncluding":"1.13.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0","versionEndIncluding":"2.0.5","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6","versionEndIncluding":"2.6.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndIncluding":"3.0.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1274","Ordinal":"116569","Title":"CVE-2018-1274","CVE":"CVE-2018-1274","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1274","Ordinal":"1","NoteData":"Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1274","Ordinal":"2","NoteData":"2018-04-18","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1274","Ordinal":"3","NoteData":"2018-04-19","Type":"Other","Title":"Modified"}]}}}