CVE-2017-8046
Description
CVE-2017-8046 allows attackers to execute arbitrary Java code via malicious PATCH requests using crafted JSON in versions prior to 2.6.9, 3.0.1 and Spring Boot prior to 1.5.9, 2.0 M6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2017-8046 allows attackers to execute arbitrary Java code via malicious PATCH requests using crafted JSON in versions prior to 2.6.9, 3.0.1 and Spring Boot prior to 1.5.9, 2.0 M6.
Vulnerability
CVE-2017-8046 is a remote code execution vulnerability in Spring Data REST versions prior to 2.6.9 (Ingalls SR9) and versions prior to 3.0.1 (Kay SR1), as well as in Spring Boot versions prior to 1.5.9 and 2.0 M6 [2]. The vulnerability is triggered when a server receives maliciously crafted PATCH requests containing specially crafted JSON data. This flaw allows attackers to execute arbitrary Java code on the affected server.
Exploitation
An attacker must have network access to the vulnerable server and be able to send HTTP PATCH requests to a Spring Data REST endpoint [2]. The attacker crafts a JSON payload that, when processed by the vulnerable Spring Data REST component, leads to arbitrary code execution. No authentication is required for exploitation, as the vulnerability can be triggered by unauthenticated PATCH requests to publicly exposed repository resources [2].
Impact
Successful exploitation of CVE-2017-8046 allows an attacker to execute arbitrary Java code on the affected server [2]. The attacker can run code in the context of the application, potentially leading to full compromise of the server, including disclosure of sensitive data, modification or destruction of data, and further lateral movement within the network [2]. The vulnerability is rated with a CVSS base score indicating a critical severity level [4].
Mitigation
This vulnerability is fixed in Spring Data REST versions 2.6.9 (Ingalls SR9) and 3.0.1 (Kay SR1), and in Spring Boot versions 1.5.9 and 2.0 M6 [2]. Users of affected versions should upgrade immediately. Red Hat also released an update as RHSA-2018:2405 for Red Hat FIS 2.0 on Fuse 6.3.0 R7 to remediate this issue [4]. No workarounds have been publicly disclosed, and upgrading to the fixed versions is the primary mitigation. This CVE is not listed on the CISA KEV catalog at the time of writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.data:spring-data-rest-coreMaven | < 2.6.9.RELEASE | 2.6.9.RELEASE |
org.springframework.data:spring-data-rest-coreMaven | >= 3.0.0, < 3.0.1.RELEASE | 3.0.1.RELEASE |
Affected products
2- Pivotal/Pivotal Spring Data REST and Spring Bootv5Range: Pivotal Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- www.exploit-db.com/exploits/44289/mitreexploitx_refsource_EXPLOIT-DB
- access.redhat.com/errata/RHSA-2018:2405ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-9qf9-28h9-hqcjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-8046ghsaADVISORY
- www.securityfocus.com/bid/100948mitrevdb-entryx_refsource_BID
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/spring-projects/spring-data-rest/issues/1487ghsaWEB
- github.com/spring-projects/spring-data-rest/issues/1520ghsaWEB
- jira.spring.io/browse/DATAREST-1127ghsaWEB
- pivotal.io/security/cve-2017-8046ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.