Spring Data Commons 漏洞列表

Spring Data是一个用于简化数据库访问，并支持云服务的开源框架，Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。 Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

Pivotal Spring Data Commons和Spring Data REST都是美国Pivotal Software公司的产品。PivotalSpring Data Commons是一个为数据访问提供基于Spring模型的项目。Spring Data REST是一个建立在SpringData存储库之上的用于分析应用程序的域模型并公开超媒体驱动的HTTP资源。Pivotal Spring Data Commons和Spring DataREST中存在安全漏洞。远程攻击者可利用该漏洞执行代码。以下产品和版本受到影响：Spring Data Commons1.13版本至1.13.10版本，2.0版本至2.0.5版本及一些已不再支持的老版本；Spring Data REST2.6版本至2.6.10版本，3.0版本至3.0.5版本及一些已不再支持的老版本。

Spring Data是Spring框架中提供底层数据访问的项目模块，Spring Data Commons是一个共用的基础模块。