{"id":"CVE-2017-8046","details":"Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.","aliases":["GHSA-9qf9-28h9-hqcj"],"modified":"2026-04-10T04:02:15.726485Z","published":"2018-01-04T06:29:00.307Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100948"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2405"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2017-8046"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/44289/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-boot","events":[{"introduced":"0"},{"fixed":"1e8b9569d3a3900a0ed61712099823ad735b8078"},{"introduced":"0"},{"last_affected":"a9503abb94b203a717527b81a94dc9d3cb4b1afa"},{"introduced":"0"},{"last_affected":"5482bae289df99722a607275e07a238447d2becd"},{"introduced":"0"},{"last_affected":"a3871adf3aa6f5499213ef026f84899b9cd38b65"},{"introduced":"0"},{"last_affected":"14563ef24c6a5ef0658af60a489466dbe5e5910c"},{"introduced":"0"},{"last_affected":"1c02e9e1eafa19ff7753d56105ed1f6fad5d2b9d"},{"introduced":"0"},{"fixed":"89c3cdc90c42f859113d951ebaefa76aab9b3a67"},{"introduced":"0"},{"last_affected":"c9c359fd271d1b51bf16f50d685c49fa40ca1b8a"},{"introduced":"0"},{"last_affected":"91e8744a0ab950f8125d21f5c24fb65ddbe57f94"},{"introduced":"0"},{"last_affected":"1cb6c7310a755b38cee2cdc8eae18c826c22e44e"},{"introduced":"0"},{"last_affected":"734e93dc884b151f4d4539e37de3636e7bd92ea7"},{"introduced":"0"},{"last_affected":"59194ed31b182368b61e46a48ae04c3a2b95bdd6"},{"introduced":"0"},{"last_affected":"8d2c6e5b119d09f44b8cf1a05850813dbf873ffe"},{"introduced":"0"},{"last_affected":"a2addaa8dc56facf41380a3aba4c5912515c82a7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.5.9"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1"},{"introduced":"0"},{"last_affected":"2.0.0-milestone2"},{"introduced":"0"},{"last_affected":"2.0.0-milestone3"},{"introduced":"0"},{"last_affected":"2.0.0-milestone4"},{"introduced":"0"},{"last_affected":"2.0.0-milestone5"},{"introduced":"0"},{"fixed":"2.6.9"},{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.0.0-m1"},{"introduced":"0"},{"last_affected":"3.0.0-m2"},{"introduced":"0"},{"last_affected":"3.0.0-m3"},{"introduced":"0"},{"last_affected":"3.0.0-m4"},{"introduced":"0"},{"last_affected":"3.0.0-rc1"},{"introduced":"0"},{"last_affected":"3.0.0-rc2"}]}},{"type":"GIT","repo":"https://github.com/spring-projects/spring-data-rest","events":[{"introduced":"0"},{"last_affected":"c3dc9ebfaf232b6295e2bad5f40c306d7b21ba8a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0.0-rc3"}]}}],"versions":["2.0.0.M1","2.0.0.RC1","2.0.0.RELEASE","2.1.0.M1","2.1.0.RC1","2.1.0.RELEASE","2.2.0.M1","2.2.0.RC1","2.2.0.RELEASE","2.3.0.M1","2.3.0.RC1","2.3.0.RELEASE","2.4.0.M1","2.4.0.RC1","2.4.0.RELEASE","2.5.0.M1","2.5.0.RC1","2.5.0.RELEASE","2.6.0.M1","3.0.0.M1","3.0.0.M2","3.0.0.M3","3.0.0.M4","3.0.0.RC1","3.0.0.RC2","3.0.0.RC3","v1.0.0.RC3","v1.0.0.RC4","v2.0.0.M1","v2.0.0.M2","v2.0.0.M3","v2.0.0.M4","v2.0.0.M5","v3.0.0","v3.0.0-M1","v3.0.0-M2","v3.0.0-M3","v3.0.0-M4","v3.0.0-RC1","v3.0.0-RC2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8046.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}