Search for vulnerabilities
Vulnerability details: VCID-dam4-ygz5-aaaj
Vulnerability ID VCID-dam4-ygz5-aaaj
Aliases CVE-2018-1273
GHSA-4fq3-mr56-cg6r
Summary Remote code injection vulnerability in org.springframework.data:spring-data-commons
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (6)
CWE-20 Improper Input Validation
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-138 Improper Neutralization of Special Elements
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
System Score Found at
cvssv3.1 9.8 http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
cvssv3.1 9.8 http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
cvssv3.1 9.8 http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
generic_textual CRITICAL http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
ssvc Act http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
ssvc Act http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1273.json
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94208 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.943 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.943 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.943 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.943 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.943 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.943 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94336 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94336 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.94336 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.96816 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.96816 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.96816 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.96816 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.97241 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.97241 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.97241 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.97241 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.97241 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
epss 0.97241 https://api.first.org/data/v1/epss?cve=CVE-2018-1273
rhbs urgent https://bugzilla.redhat.com/show_bug.cgi?id=1565923
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-4fq3-mr56-cg6r
cvssv3.1 9.8 https://github.com/spring-projects/spring-data-commons
generic_textual CRITICAL https://github.com/spring-projects/spring-data-commons
cvssv3.1 9.8 https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
generic_textual CRITICAL https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
cvssv3.1 9.8 https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
generic_textual CRITICAL https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
cvssv3.1 9.8 https://github.com/spring-projects/spring-data-commons/issues/1721
generic_textual CRITICAL https://github.com/spring-projects/spring-data-commons/issues/1721
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-1273
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1273
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1273
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1273
cvssv3.1 9.8 https://pivotal.io/security/cve-2018-1273
cvssv3.1 9.8 https://pivotal.io/security/cve-2018-1273
generic_textual CRITICAL https://pivotal.io/security/cve-2018-1273
ssvc Act https://pivotal.io/security/cve-2018-1273
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpujul2022.html
cvssv3.1 9.8 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Act https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1273.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1273
https://github.com/spring-projects/spring-data-commons
https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b65
https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432
https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
https://github.com/spring-projects/spring-data-commons/issues/1721
https://pivotal.io/security/cve-2018-1273
https://www.oracle.com/security-alerts/cpujul2022.html
1565923 https://bugzilla.redhat.com/show_bug.cgi?id=1565923
cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:ignite:1.0.0:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:ignite:1.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
CVE-2018-1273 https://nvd.nist.gov/vuln/detail/CVE-2018-1273
GHSA-4fq3-mr56-cg6r https://github.com/advisories/GHSA-4fq3-mr56-cg6r
Data source KEV
Date added March 25, 2022
Description Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution.
Required action Apply updates per vendor instructions.
Due date April 15, 2022
Note 
https://nvd.nist.gov/vuln/detail/CVE-2018-1273
Ransomware campaign use Known
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T12:41:40Z/ Found at http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T12:41:40Z/ Found at http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1273.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-data-commons
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-data-commons/issues/1721
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1273
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1273
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1273
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1273
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://pivotal.io/security/cve-2018-1273
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://pivotal.io/security/cve-2018-1273
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T12:41:40Z/ Found at https://pivotal.io/security/cve-2018-1273
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T12:41:40Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.99908
EPSS Score 0.94208
Published At April 22, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.