QSearchQSearch

CVE-2017-8046

9.8 CRITICAL

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay ...

Published: 2018-01-04 · Last updated: 2026-06-26

Severity and scoring

CVSS
9.8 CRITICAL
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-20

Affected products

VendorProduct
pivotal_softwarespring_boot, spring_data_rest
vmwarespring_boot, spring_data_rest

Description

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-41856 The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within t... (7.5 HIGH)
  • CVE-2026-41700 Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking (8.1 HIGH)
  • CVE-2026-41699 Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries (8.1 HIGH)
  • CVE-2026-41694 Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a val... (3.7 LOW)
  • CVE-2026-41003 An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Secu... (7.6 HIGH)

Same CWE

  • CVE-2026-12191 A vulnerability was found in Comma AI Openpilot 0.11 (7.8 HIGH)
  • CVE-2026-45013 ApostropheCMS is an open-source Node.js content management system (8.1 HIGH)
  • CVE-2026-54133 jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP app... (9.8 CRITICAL)
  • CVE-2026-47196 Quest Bot is an opensource Discord Bot
  • CVE-2026-50633 A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)