Red Hat Bugzilla – Bug 1578902
CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Last modified: 2018-06-07 04:26:13 EDT
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
Created springframework-data-commons tracking bugs for this issue:
Affects: fedora-all [bug 1578939]
Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?
This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes (text-only advisories)
Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809