Actively exploited in the wild
VMware Tanzu Spring Data Commons Property Binder Vulnerability
VMware Tanzu — Spring Data Commons · Listed in the CISA KEV since 2022-03-25. This indicates confirmed attacks in production environments.
Required action: Apply updates per vendor instructions.
CVE-2018-1273
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile — higher than 100% of all known CVEs
Summary
Vulnerability in Spring Data Commons (versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions) due to improper neutralization of special elements in the property binder. An unauthenticated remote attacker can supply specially crafted request parameters against Spring Data REST backed HTTP resources or use Spring Data's projection-based request payload binding, leading to remote code execution.
Risk Assessment
The risk for the organization includes the possibility of remote code execution by an unauthenticated attacker, potentially leading to full server compromise, data theft, or service disruption.
Recommendation
Immediately update Spring Data Commons to version 1.13.11 or 2.0.6 or later. If updating is not possible, restrict access to Spring Data REST resources to trusted networks and users only.
Original NVD description (English source)
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

