Date: Tue, 26 Jun 2018 22:33:32 +0300 From: James Sirota <jsirota@...che.org> To: oss-security@...ts.openwall.com, security@...ron.apache.org, james sirota <jsirota@...tonworks.com>, dev <dev@...ron.apache.org> Subject: CVE-2018-1273 fixed in Metron 0.5.0 The following CVE was fixed in Metron 0.5.0: [CVEID]: CVE-2018-1273 [PRODUCT]:Spring Data Commons [VERSION]: versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older [PROBLEMTYPE]:remote code execution attack [REFERENCES]: https://pivotal.io/security/cve-2018-1273 [DESCRIPTION]: Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.