Bug 1578902 (CVE-2018-1259) - CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Summary: CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Status: NEW
Alias: CVE-2018-1259
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180509,repor...
Keywords: Security
Depends On: 1578939
Blocks: 1578941
TreeView+ depends on / blocked
 
Reported: 2018-05-16 15:00 UTC by Laura Pardo
Modified: 2018-12-04 16:01 UTC (History)
13 users (show)

Fixed In Version: spring-data-commons 1.13.12, spring-data-commons 2.0.7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1809 None None None 2018-06-07 08:26 UTC
Red Hat Product Errata RHSA-2018:3768 None None None 2018-12-04 16:01 UTC

Description Laura Pardo 2018-05-16 15:00:39 UTC
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.


References:
https://pivotal.io/security/cve-2018-1259
https://jira.spring.io/browse/DATACMNS-1292

Comment 1 Laura Pardo 2018-05-16 16:24:31 UTC
Created springframework-data-commons tracking bugs for this issue:

Affects: fedora-all [bug 1578939]

Comment 3 Jason Shepherd 2018-05-21 07:17:22 UTC
Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.

Comment 4 claprun@redhat.com 2018-06-01 08:44:44 UTC
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?

Comment 5 errata-xmlrpc 2018-06-07 08:26:06 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809

Comment 6 errata-xmlrpc 2018-12-04 16:01:08 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768


Note You need to log in before you can comment on or make changes to this bug.