Xxe

2018-05-1120:29:00

PRIOn knowledge base

www.prio-n.com

8.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.7%

JSON

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data’s projection-based request payload binding to access arbitrary files on the system.

CPENameOperatorVersion
spring_data_commonsge1.13
spring_data_commonsle1.13.11
spring_data_commonsge2.0
spring_data_commonsle2.0.6
spring_data_restgt2.6
spring_data_restle2.6.11
spring_data_restge3.0
spring_data_restle3.0.6
xmlbeamle1.4.14

Name	Operator	Version
spring_data_commons	ge	1.13
spring_data_commons	le	1.13.11
spring_data_commons	ge	2.0
spring_data_commons	le	2.0.6
spring_data_rest	gt	2.6
spring_data_rest	le	2.6.11
spring_data_rest	ge	3.0
spring_data_rest	le	3.0.6
xmlbeam	le	1.4.14