Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Affected Packages

Maven org.springframework.data:spring-data-commons

Affected versions: 1.13.0 (fixed in 1.13.12)

Maven org.springframework.data:spring-data-commons

Affected versions: 2.0.0 (fixed in 2.0.7)

Related CVEs

CVE-2018-1259

Key Information

GHSA ID

GHSA-m929-7fr6-cvjg

Published

October 17, 2018 5:23 PM

Last Modified

April 27, 2022 1:58 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.data:spring-data-commons

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.