[
https://issues.apache.org/jira/browse/IGNITE-8713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Mashenkov updated IGNITE-8713:
-------------------------------------
Labels: CVE security (was: security)
> Security vulnerabilities in spring-data-commons-1.13.1.RELEASE.jar
> ------------------------------------------------------------------
>
> Key: IGNITE-8713
> URL: https://issues.apache.org/jira/browse/IGNITE-8713
> Project: Ignite
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5
> Reporter: Harendra Rai
> Priority: Major
> Labels: CVE, security
> Fix For: 2.6
>
>
> I am using Ignite for .NET and I have found following Security
> vulnerabilities in *“spring-data-commons-1.13.1.RELEASE.jar”*
> # CVE-2018-1273
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1273])
> *Description*: Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to
> 2.0.5, and older unsupported versions, contain a property binder
> vulnerability caused by improper neutralization of special elements. An
> unauthenticated remote malicious user (or attacker) can supply specially
> crafted request parameters against Spring Data REST backed HTTP resources or
> using Spring Data's projection-based request payload binding hat can lead to
> a remote code execution attack.
> *Fix*: Users of affected versions should apply the following mitigation:
> 2.0.x users should upgrade to 2.0.6
> 1.13.x users should upgrade to 1.13.11
> Older versions should upgrade to a supported branch
> Releases that have fixed this issue include:
> Spring Data REST 2.6.11 (Ingalls SR11)
> Spring Data REST 3.0.6 (Kay SR6)
> There are no other mitigation steps necessary.
> Note that the use of authentication and authorization for endpoints, both of
> which are provided by Spring Security, limits exposure to this vulnerability
> to authorized users.
> 2. CVE-2018-1274
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1274])
> Description: Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and
> older unsupported versions, contain a property path parser vulnerability
> caused by unlimited resource allocation. An unauthenticated remote malicious
> user (or attacker) can issue requests against Spring Data REST endpoints or
> endpoints using property path parsing which can cause a denial of service
> (CPU and memory consumption).
> *Fix*: Users of affected versions should apply the following mitigation:
> 2.0.x users should upgrade to 2.0.6
> 1.13.x users should upgrade to 1.13.11
> Older versions should upgrade to a supported branch
> Releases that have fixed this issue include:
> Spring Data REST 2.6.11 (Ingalls SR11)
> Spring Data REST 3.0.6 (Kay SR6)
> There are no other mitigation steps necessary.
> Note that the use of authentication and authorization for endpoints, both of
> which are provided by Spring Security, limits exposure to this vulnerability
> to authorized users.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
