Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.springframework.boot/spring-boot@1.5.0.RELEASE

Type maven

Namespace org.springframework.boot

Name spring-boot

Version 1.5.0.RELEASE

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.5.10.RELEASE

Latest_non_vulnerable_version 4.0.6

Affected_by_vulnerabilities

url VCID-kzsg-qwvd-2ffh

vulnerability_id VCID-kzsg-qwvd-2ffh

summary

RCE in PATCH requests
Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.

references

reference_url

https://access.redhat.com/errata/RHSA-2018:2405

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2018:2405

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-8046.json

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-8046.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-8046

reference_id

reference_type

scores

value	0.93978
scoring_system	epss
scoring_elements	0.99895
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-8046

reference_url

https://github.com/spring-projects/spring-data-rest

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-rest

reference_url	https://github.com/spring-projects/spring-data-rest/commit/824e51a1304bbc8334ac0b96ffaef588177e6cc
reference_id
reference_type
scores
url	https://github.com/spring-projects/spring-data-rest/commit/824e51a1304bbc8334ac0b96ffaef588177e6cc

reference_url	https://github.com/spring-projects/spring-data-rest/commit/8f269e28fe8038a6c60f31a1c36cfda04795ab45
reference_id
reference_type
scores
url	https://github.com/spring-projects/spring-data-rest/commit/8f269e28fe8038a6c60f31a1c36cfda04795ab45

reference_url

https://github.com/spring-projects/spring-data-rest/issues/1487

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-rest/issues/1487

reference_url

https://github.com/spring-projects/spring-data-rest/issues/1520

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-rest/issues/1520

reference_url	https://jira.spring.io/browse/DATAREST-1127
reference_id
reference_type
scores
url	https://jira.spring.io/browse/DATAREST-1127

reference_url

https://jira.spring.io/browse/DATAREST-1127?redirect=false

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://jira.spring.io/browse/DATAREST-1127?redirect=false

reference_url	https://jira.spring.io/browse/DATAREST-1152
reference_id
reference_type
scores
url	https://jira.spring.io/browse/DATAREST-1152

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2017-8046

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2017-8046

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=1553024

reference_id

1553024

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=1553024

reference_url	https://github.com/m3ssap0/spring-break_cve-2017-8046
reference_id	CVE-2017-8046
reference_type	exploit
scores
url	https://github.com/m3ssap0/spring-break_cve-2017-8046

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/44289.java
reference_id	CVE-2017-8046
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/44289.java

reference_url

https://pivotal.io/security/cve-2017-8046

reference_id

CVE-2017-8046

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://pivotal.io/security/cve-2017-8046

reference_url

https://github.com/advisories/GHSA-9qf9-28h9-hqcj

reference_id

GHSA-9qf9-28h9-hqcj

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9qf9-28h9-hqcj

fixed_packages

url pkg:maven/org.springframework.boot/spring-boot@1.5.9.RELEASE

purl pkg:maven/org.springframework.boot/spring-boot@1.5.9.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wq91-uxkz-dkf7

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@1.5.9.RELEASE

aliases CVE-2017-8046, GHSA-9qf9-28h9-hqcj

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kzsg-qwvd-2ffh

url VCID-wq91-uxkz-dkf7

vulnerability_id VCID-wq91-uxkz-dkf7

summary

Symlink privilege escalation attack via Spring Boot launch script
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot is susceptible to a symlink attack which allows the `run_user` to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the `run_user` requires shell access to the server.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1196.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1196.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-1196

reference_id

reference_type

scores

value	0.00604
scoring_system	epss
scoring_elements	0.70016
published_at	2026-06-05T12:55:00Z

value	0.00604
scoring_system	epss
scoring_elements	0.69975
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-1196

reference_url

https://github.com/advisories/GHSA-xx65-cc7g-9pfp

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-xx65-cc7g-9pfp

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-1196

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-1196

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1542002
reference_id	1542002
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1542002

reference_url

https://pivotal.io/security/cve-2018-1196

reference_id

CVE-2018-1196

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pivotal.io/security/cve-2018-1196

fixed_packages

url	pkg:maven/org.springframework.boot/spring-boot@1.5.10
purl	pkg:maven/org.springframework.boot/spring-boot@1.5.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@1.5.10

url	pkg:maven/org.springframework.boot/spring-boot@1.5.10.RELEASE
purl	pkg:maven/org.springframework.boot/spring-boot@1.5.10.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@1.5.10.RELEASE

aliases CVE-2018-1196, GHSA-xx65-cc7g-9pfp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wq91-uxkz-dkf7

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.boot/spring-boot@1.5.0.RELEASE

Package Instance