New QID for RCE in Pivotal Spring Data REST package

Document created by Dave Ferguson Employee on Apr 6, 2018Last modified by Dave Ferguson Employee on Nov 21, 2018
Version 4Show Document
  • View in full screen mode

Hello all -


The Qualys WAS scanning engine has been updated to include a new detection for a remote code execution (RCE) vulnerability in Pivotal Spring Data REST, a sub-package that is part of the Spring Framework.  This new detection capability is part of an ongoing effort to provide more support for known vulnerabilities in application frameworks. This vulnerability is known as "Spring Break" and the CVE ID is CVE-2017-8046.  To exploit this vulnerability, an attacker submits malicious PATCH requests to spring-data-rest servers with specially-crafted JSON data to run arbitrary Java code on the server. 


To ensure WAS tests for this serious issue, be sure that QID 150201 is enabled in your vulnerability scans.


More details about the vulnerability and how to fix it is available from Pivotal's security advisory.