Spring Data REST exists serious flaw that allows remote attackers to execute arbitrary commands

CVE-2017-8046

According to securityaffairs reports on March 5, security researchers at lgtm.com found a serious flaw in Pivotal’s Spring Data REST that allows remote attackers to target devices that run applications that use Spring Data REST components (CVE-2017-8046).

Researchers believe that the vulnerability is similar to the vulnerability in the Apache Struts that caused the Equifax data breach and traces it to CVE- 2017-8046.

According to a security bulletin published by Semmle/lgtm, the vulnerability is related to how the Spring Expression Language (SpEL) is used in the Data REST component, and the lack of validation of user input also allows attackers to run applications built with Spring Data REST. A large part of the device executing arbitrary commands.

Currently, this vulnerability is easily exploited. Because Spring Data REST’s RESTful API is generally publicly accessible, its flaws may make it easier for hackers to control servers and access sensitive information.

Affected Spring products and components:

  • Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
    • (Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
  • Spring Boot, versions prior to 2.0.0M4
    • (when using the included Spring Data REST component: spring-boot-starter-data-rest)
  • Spring Data, versions prior to Kay-RC3

Pivotal has issued a security patch for this vulnerability and urged its users to update their applications.

 

Source: SecurityAffairs