Vulnerability - Expression Language Injection: Spring CVE-2017-8046

Jay Kantaria
January 2, 2019

During security scanning of our environment following Vulnerability found in Jira Data Center version 7.10.12.

During brief search on internet found that this is related to Spring Data Rest Library version. 

Any help will be appreciated in resolving or overcoming this CVE.


Spring Data REST provides REST web services on top of Spring Data repositories, exposing data structures representing the application model. A Spring Expression Language injection vulnerability identified by CVE-2017-8046 allows remote attackers to achieve remote code execution (RCE) in applications exposing Spring Data REST endpoints. This RCE can be exploited by attackers to invoke arbitrary java commands (e.g. java.lang.Runtime).getRuntime().exec()) which can facilitate arbitrary command execution. The vulnerability is manifested in applications using Spring Data REST library 2.6.8 and earlier.


Andy Heinzer
January 3, 2019

We have had other users log support requests to investigate this specific CVE.  However our security team has found that Atlassian products such as Jira Cloud, Jira Server, and Jira Data Center are not actually affected by this because we are not using the Spring REST Data library in our products.

As such I believe this is likely a false positive of the scan.  Jira does have REST endpoints that can be accessed, but in this case I don't believe this CVE applies because Jira is not using the libraries that are affected by this.

Please let me know if you have any additional concerns.


