on Apr 6, 2018Hello all -
The Qualys WAS scanning engine has been updated to include a new detection for a remote code execution (RCE) vulnerability in Pivotal Spring Data REST, a sub-package that is part of the Spring Framework. This new detection capability is part of an ongoing effort to provide more support for known vulnerabilities in application frameworks. The CVE ID is CVE-2017-8046. To exploit this vulnerability, an attacker submits malicious PATCH requests to spring-data-rest servers with specially-crafted JSON data to run arbitrary Java code on the server.
To ensure WAS tests for this serious issue, be sure that QID 150201 is enabled during your vulnerability scans.
More details about the vulnerability and how to fix it is available from Pivotal's security advisory.
-Dave