Critical severityCISA KEVNVD Advisory· Published Apr 11, 2018· Updated Oct 21, 2025

CVE-2018-1273

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.data:spring-data-commonsMaven	>= 1.13.0, < 1.13.11	1.13.11
org.springframework.data:spring-data-commonsMaven	>= 2.0.0, < 2.0.6	2.0.6

Affected products

Spring by Pivotal/Spring Frameworkv5
Range: Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions

Patches

b1a20ae1e82a

DATACMNS-1282 - Switched to SimpleEvaluationContext in MapDataBinder.

https://github.com/spring-projects/spring-data-commonsOliver GierkeMar 27, 2018via ghsa

commit

1 file changed · +10 −20

src/main/java/org/springframework/data/web/MapDataBinder.java+10 −20 modified

@@ -39,16 +39,12 @@
 import org.springframework.data.util.TypeInformation;
 import org.springframework.expression.AccessException;
 import org.springframework.expression.EvaluationContext;
-import org.springframework.expression.EvaluationException;
 import org.springframework.expression.Expression;
-import org.springframework.expression.TypeLocator;
 import org.springframework.expression.TypedValue;
 import org.springframework.expression.spel.SpelEvaluationException;
-import org.springframework.expression.spel.SpelMessage;
 import org.springframework.expression.spel.SpelParserConfiguration;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.expression.spel.support.StandardEvaluationContext;
-import org.springframework.expression.spel.support.StandardTypeConverter;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.util.Assert;
 import org.springframework.web.bind.WebDataBinder;
 
@@ -108,13 +104,6 @@ private static class MapPropertyAccessor extends AbstractPropertyAccessor {
 
 		private static final SpelExpressionParser PARSER = new SpelExpressionParser(
 				new SpelParserConfiguration(false, true));
-		private static final TypeLocator REJECTING_LOCATOR = new TypeLocator() {
-
-			@Override
-			public Class<?> findType(String typeName) throws EvaluationException {
-				throw new SpelEvaluationException(SpelMessage.TYPE_NOT_FOUND, typeName);
-			}
-		};
 
 		private final @NonNull Class<?> type;
 		private final @NonNull Map<String, Object> map;
@@ -172,14 +161,6 @@ public void setPropertyValue(String propertyName, Object value) throws BeansExce
 				throw new NotWritablePropertyException(type, propertyName);
 			}
 
-			StandardEvaluationContext context = new StandardEvaluationContext();
-			context.addPropertyAccessor(new PropertyTraversingMapAccessor(type, conversionService));
-			context.setTypeConverter(new StandardTypeConverter(conversionService));
-			context.setTypeLocator(REJECTING_LOCATOR);
-			context.setRootObject(map);
-
-			Expression expression = PARSER.parseExpression(propertyName);
-
 			PropertyPath leafProperty = getPropertyPath(propertyName).getLeafProperty();
 			TypeInformation<?> owningType = leafProperty.getOwningType();
 			TypeInformation<?> propertyType = owningType.getProperty(leafProperty.getSegment());
@@ -196,6 +177,15 @@ public void setPropertyValue(String propertyName, Object value) throws BeansExce
 				value = conversionService.convert(value, TypeDescriptor.forObject(value), typeDescriptor);
 			}
 
+			EvaluationContext context = SimpleEvaluationContext //
+
+					.forPropertyAccessors(new PropertyTraversingMapAccessor(type, conversionService)) //
+					.withConversionService(conversionService) //
+					.withRootObject(map) //
+					.build();
+
+			Expression expression = PARSER.parseExpression(propertyName);
+
 			try {
 				expression.setValue(context, value);
 			} catch (SpelEvaluationException o_O) {

ae1dd2741ce0

DATACMNS-1282 - Switched to SimpleEvaluationContext in MapDataBinder.

https://github.com/spring-projects/spring-data-commonsOliver GierkeMar 27, 2018via ghsa

commit

1 file changed · +9 −13

src/main/java/org/springframework/data/web/MapDataBinder.java+9 −13 modified

@@ -44,11 +44,9 @@
 import org.springframework.expression.Expression;
 import org.springframework.expression.TypedValue;
 import org.springframework.expression.spel.SpelEvaluationException;
-import org.springframework.expression.spel.SpelMessage;
 import org.springframework.expression.spel.SpelParserConfiguration;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.expression.spel.support.StandardEvaluationContext;
-import org.springframework.expression.spel.support.StandardTypeConverter;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.web.bind.WebDataBinder;
@@ -176,16 +174,6 @@ public void setPropertyValue(String propertyName, @Nullable Object value) throws
 				throw new NotWritablePropertyException(type, propertyName);
 			}
 
-			StandardEvaluationContext context = new StandardEvaluationContext();
-			context.addPropertyAccessor(new PropertyTraversingMapAccessor(type, conversionService));
-			context.setTypeConverter(new StandardTypeConverter(conversionService));
-			context.setTypeLocator(typeName -> {
-				throw new SpelEvaluationException(SpelMessage.TYPE_NOT_FOUND, typeName);
-			});
-			context.setRootObject(map);
-
-			Expression expression = PARSER.parseExpression(propertyName);
-
 			PropertyPath leafProperty = getPropertyPath(propertyName).getLeafProperty();
 			TypeInformation<?> owningType = leafProperty.getOwningType();
 			TypeInformation<?> propertyType = leafProperty.getTypeInformation();
@@ -213,6 +201,14 @@ public void setPropertyValue(String propertyName, @Nullable Object value) throws
 				value = conversionService.convert(value, TypeDescriptor.forObject(value), typeDescriptor);
 			}
 
+			EvaluationContext context = SimpleEvaluationContext //
+					.forPropertyAccessors(new PropertyTraversingMapAccessor(type, conversionService)) //
+					.withConversionService(conversionService) //
+					.withRootObject(map) //
+					.build();
+
+			Expression expression = PARSER.parseExpression(propertyName);
+
 			try {
 				expression.setValue(context, value);
 			} catch (SpelEvaluationException o_O) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4fq3-mr56-cg6rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1273ghsaADVISORY
mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3Eghsamailing-listx_refsource_MLISTWEB
github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653ghsaWEB
github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432aghsaWEB
github.com/spring-projects/spring-data-commons/issues/1721ghsaWEB
pivotal.io/security/cve-2018-1273ghsax_refsource_CONFIRMWEB
www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.075
exploit	0.000
kev	0.120
patch	-0.070
ransomware	0.060