Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Data Commons - Vulnerability issue #190

Closed
denisazevedo opened this issue Aug 9, 2018 · 1 comment
Closed

Spring Data Commons - Vulnerability issue #190

denisazevedo opened this issue Aug 9, 2018 · 1 comment
Labels
bug
Projects
5.0.3 - Maintenance & security release
Milestone
v5.0.3

Comments

@denisazevedo
Copy link

Guys,

We have a security issue using the following Spring Data Commons dependencies:

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

My 2 cents, the dependencies need to be upgraded to support one of the versions not listed above.

Thank you for your hard work!
@derjust derjust added the bug label Aug 11, 2018
@derjust derjust added this to To do in 5.0.3 - Maintenance & security release via automation Aug 11, 2018
@derjust derjust moved this from To do to In progress in 5.0.3 - Maintenance & security release Aug 11, 2018
derjust added a commit that referenced this issue Aug 11, 2018
@derjust
Issue #190 - Spring Data Commons vulnerability
dd67b35 
Fixed security issue with spring-data-commons by update to version `2.0.9` - see CVE-2018-1273
derjust added a commit that referenced this issue Aug 11, 2018
@derjust
Issue #190 - Spring Data Commons vulnerability
f7c47bb 
Fixed security issue with spring-data-commons by update to version `Ingalls-SR14` - see CVE-2018-1273
@derjust
Copy link
Owner

derjust commented Aug 11, 2018

Thank you for reporting.
Pushed releases to Maven Central with the updated dependencies

  • v4.5.7
  • v.5.0.3

@derjust derjust closed this as completed Aug 11, 2018
5.0.3 - Maintenance & security release automation moved this from In progress to Done Aug 11, 2018
@derjust derjust added this to the v5.0.3 milestone Aug 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
5.0.3 - Maintenance & security release
  
Done
Milestone
v5.0.3
Development

No branches or pull requests
2 participants
@denisazevedo @derjust