KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2018-1273

PUBLISHED

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability...

Exploited in the wild Used in malware Remote Low complexity No user interaction
Vendor
Spring by Pivotal
Product
Spring Framework
Published
Apr 11, 2018
EPSS

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

java cisa malware ransomware nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2022-03-25 00:00:00 UTC · Source

Used in malware

Recorded 2022-03-25 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Mar 25, 2022

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-1273.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

knqyf263/CVE-2018-1273

github · Created 2018-04-13 13:41:02 UTC · 10 stars

Environment for CVE-2018-1273 (Spring Data Commons)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Detected by Nuclei