XXE attack in Pivotal Spring Data Commons - CVE-2018-1259
Published: May 21, 2018
Vulnerability identifier: #VU12858
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1259
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pivotal
Affected software:
Pivotal Spring Data Commons
Pivotal Spring Data Commons
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper restriction of XML external entity references. The underlying XMLBeam library does not restrict external reference expansion. A remote attacker can supply specially crafted request parameters and gain access to arbitrary files.
The weakness exists due to improper restriction of XML external entity references. The underlying XMLBeam library does not restrict external reference expansion. A remote attacker can supply specially crafted request parameters and gain access to arbitrary files.
How to mitigate CVE-2018-1259
Update to version 1.13.12 or 2.0.7.