New QID for RCE in Pivotal Spring Data REST package

Document created by Dave Ferguson Employee on Apr 6, 2018Last modified by Robert Dell'Immagine on Apr 12, 2018
Version 3Show Document
  • View in full screen mode

Hello all -

 

The Qualys WAS scanning engine has been updated to include a new detection for a remote code execution (RCE) vulnerability in Pivotal Spring Data REST, a sub-package that is part of the Spring Framework.  This new detection capability is part of an ongoing effort to provide more support for known vulnerabilities in application frameworks. The CVE ID is CVE-2017-8046.  To exploit this vulnerability, an attacker submits malicious PATCH requests to spring-data-rest servers with specially-crafted JSON data to run arbitrary Java code on the server. 

 

To ensure WAS tests for this serious issue, be sure that QID 150201 is enabled during your vulnerability scans.

 

More details about the vulnerability and how to fix it is available from Pivotal's security advisory.

 

 

-Dave

Attachments

    Outcomes