Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system. References: https://pivotal.io/security/cve-2018-1259 https://jira.spring.io/browse/DATACMNS-1292
Created springframework-data-commons tracking bugs for this issue: Affects: fedora-all [bug 1578939]
Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes (text-only advisories) Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768