Bug 1578902 (CVE-2018-1259) - CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Summary: CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Alias: CVE-2018-1259
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1578939
Blocks: 1578941
TreeView+ depends on / blocked
Reported: 2018-05-16 15:00 UTC by Laura Pardo
Modified: 2019-09-29 14:39 UTC (History)
12 users (show)

Fixed In Version: spring-data-commons 1.13.12, spring-data-commons 2.0.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:23:10 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1809 None None None 2018-06-07 08:26:12 UTC
Red Hat Product Errata RHSA-2018:3768 None None None 2018-12-04 16:01:15 UTC

Description Laura Pardo 2018-05-16 15:00:39 UTC
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.


Comment 1 Laura Pardo 2018-05-16 16:24:31 UTC
Created springframework-data-commons tracking bugs for this issue:

Affects: fedora-all [bug 1578939]

Comment 3 Jason Shepherd 2018-05-21 07:17:22 UTC
Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.

Comment 4 claprun@redhat.com 2018-06-01 08:44:44 UTC
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?

Comment 5 errata-xmlrpc 2018-06-07 08:26:06 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809

Comment 6 errata-xmlrpc 2018-12-04 16:01:08 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768

Note You need to log in before you can comment on or make changes to this bug.