High severity7.5NVD Advisory· Published May 11, 2018· Updated Jun 26, 2026
CVE-2018-1259
CVE-2018-1259
Description
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.data:spring-data-commonsMaven | >= 1.13.0, < 1.13.12 | 1.13.12 |
org.springframework.data:spring-data-commonsMaven | >= 2.0.0, < 2.0.7 | 2.0.7 |
Affected products
2- Pivotal/Spring Data Commonsv5Range: 1.13 prior to 1.13.12; 2.0 prior to 2.0.7
Patches
Vulnerability mechanics
References
6- access.redhat.com/errata/RHSA-2018:1809nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:3768nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-m929-7fr6-cvjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1259ghsaADVISORY
- pivotal.io/security/cve-2018-1259nvdVendor AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2022.htmlnvdWEB
News mentions
0No linked articles in our index yet.