Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1578902 - (CVE-2018-1259) CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180509,repor...
: Security
Depends On: 1578939
Blocks: 1578941
  Show dependency treegraph
 
Reported: 2018-05-16 11:00 EDT by Laura Pardo
Modified: 2018-06-07 04:26 EDT (History)
14 users (show)

See Also:
Fixed In Version: spring-data-commons 1.13.12, spring-data-commons 2.0.7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1809 None None None 2018-06-07 04:26 EDT

  None (edit)
Description Laura Pardo 2018-05-16 11:00:39 EDT
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.


References:
https://pivotal.io/security/cve-2018-1259
https://jira.spring.io/browse/DATACMNS-1292
Comment 1 Laura Pardo 2018-05-16 12:24:31 EDT
Created springframework-data-commons tracking bugs for this issue:

Affects: fedora-all [bug 1578939]
Comment 3 Jason Shepherd 2018-05-21 03:17:22 EDT
Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.
Comment 4 claprun@redhat.com 2018-06-01 04:44:44 EDT
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?
Comment 5 errata-xmlrpc 2018-06-07 04:26:06 EDT
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809

Note You need to log in before you can comment on or make changes to this bug.