CVE-2017-8046
9.8 CRITICALMalicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay ...
Published: 2018-01-04 · Last updated: 2026-06-26
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-20
Affected products
| Vendor | Product |
|---|---|
| pivotal_software | spring_boot, spring_data_rest |
| vmware | spring_boot, spring_data_rest |
Description
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2017-8046
- [Other]http://www.securityfocus.com/bid/100948
- [Other]https://access.redhat.com/errata/RHSA-2018:2405
- [Vendor advisory]https://pivotal.io/security/cve-2017-8046
- [Other]https://www.exploit-db.com/exploits/44289/
- [Other]http://www.securityfocus.com/bid/100948
- [Other]https://access.redhat.com/errata/RHSA-2018:2405
- [Vendor advisory]https://pivotal.io/security/cve-2017-8046
- [Other]https://www.exploit-db.com/exploits/44289/
Related CVEs
Same vendor
- CVE-2026-41856 — The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within t... (7.5 HIGH)
- CVE-2026-41700 — Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking (8.1 HIGH)
- CVE-2026-41699 — Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries (8.1 HIGH)
- CVE-2026-41694 — Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a val... (3.7 LOW)
- CVE-2026-41003 — An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Secu... (7.6 HIGH)
Same CWE
- CVE-2026-12191 — A vulnerability was found in Comma AI Openpilot 0.11 (7.8 HIGH)
- CVE-2026-45013 — ApostropheCMS is an open-source Node.js content management system (8.1 HIGH)
- CVE-2026-54133 — jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP app... (9.8 CRITICAL)
- CVE-2026-47196 — Quest Bot is an opensource Discord Bot
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)