CVE-2018-1274

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/103769	Broken Link
https://pivotal.io/security/cve-2018-1274	Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory
http://www.securityfocus.com/bid/103769	Broken Link
https://pivotal.io/security/cve-2018-1274	Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pivotal_software:spring_data_commons::::::::
	cpe:2.3:a:pivotal_software:spring_data_commons::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:pivotal_software:spring_data_rest::::::::
	cpe:2.3:a:pivotal_software:spring_data_rest::::::::

History

12 Sep 2025, 19:46

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/103769 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/103769 - Broken Link
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html -~~	() https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory

21 Nov 2024, 03:59

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/103769 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/103769 - Third Party Advisory, VDB Entry
References	~~() https://pivotal.io/security/cve-2018-1274 - Vendor Advisory~~	() https://pivotal.io/security/cve-2018-1274 - Vendor Advisory
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html -~~	() https://www.oracle.com/security-alerts/cpujul2022.html -

Information

Published : 2018-04-18 16:29

Updated : 2025-09-12 19:46

NVD link : CVE-2018-1274

Mitre link : CVE-2018-1274

CVE.ORG link : CVE-2018-1274

JSON object : View

Products Affected

pivotal_software

spring_data_rest
spring_data_commons

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2018-1274

7.5^/10

5.0^/10

Attach tags to `CVE-2018-1274`