RCE with Spring Data Commons
Description
Spring Data Commons versions prior to 1.13.10 (1.13.x branch), 2.0.5 (2.0.x branch), and all older unsupported versions contain a remote code execution vulnerability due to improper input validation in the property binding mechanism. When processing user-supplied request parameters, the framework fails to properly sanitize special elements, allowing attackers to inject malicious Spring Expression Language (SpEL) expressions. This vulnerability can be exploited through Spring Data REST HTTP resources or when using Spring Data's projection-based request payload binding features.
Remediation
Immediately upgrade Spring Data Commons to a patched version to remediate this vulnerability:
- For 2.0.x users: Upgrade to version 2.0.6 or later
- For 1.13.x users: Upgrade to version 1.13.11 or later
- For older unsupported versions: Migrate to a currently supported branch (2.0.6+ or 1.13.11+) as soon as possible
Update your dependency management configuration to reference the patched version. For Maven users, update your pom.xml:
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-commons</artifactId>
<version>2.0.6</version>
</dependency>For Gradle users, update your build.gradle:
implementation 'org.springframework.data:spring-data-commons:2.0.6'
After upgrading, rebuild and redeploy your application. Verify the updated version is in use by checking your application's dependency tree.